Analysis Overview
SHA256
80887d3010ece1abf731063ea5ad3380fe0e6c44f858fd446afece9e35f84d69
Threat Level: Known bad
The file ad1903329f84980bd2bbc5b877778daf was found to be: Known bad.
Malicious Activity Summary
Warzonerat family
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Warzone RAT payload
Modifies WinLogon for persistence
Warzone RAT payload
Modifies Installed Components in the registry
Executes dropped EXE
ASPack v2.12-2.42
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-28 23:09
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-28 23:09
Reported
2024-02-28 23:12
Platform
win7-20240221-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1336 set thread context of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe |
| PID 1336 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 2184 set thread context of 800 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 2184 set thread context of 1228 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1520 set thread context of 1560 | N/A | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe |
| PID 1520 set thread context of 2212 | N/A | \??\c:\windows\system\spoolsv.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe
"C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe"
C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe
"C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 36
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
Network
Files
memory/1336-0-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1336-2-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1336-1-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1336-3-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1336-4-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1336-6-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2540-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2540-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2540-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2540-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2540-23-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2664-30-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2540-32-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2664-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2664-26-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1336-35-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2664-36-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2664-39-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 0de5f37fd1e34a18d013bf7fa3723e58 |
| SHA1 | 571552fb69eb1d212275ce805b8a4e528650664c |
| SHA256 | 24c55074101aa2d318c0cfdd681b73a119b0d0c497a4495ce09b1b0e44789db5 |
| SHA512 | 7b368dfe0b3449c04427bf1012620dc4c3e4f58d3112fefef94fbe82c7e4b81e8dd9d48b3a9f1233efc059bd932325c42da916eab4d6585062df4021b71706cc |
memory/2540-46-0x0000000003160000-0x0000000003274000-memory.dmp
\Windows\system\explorer.exe
| MD5 | 75f7c25172400e18aa8ae89abadd26c4 |
| SHA1 | 0c85b8f9f703daec94b21f5d04c6f8ed6f8b37e9 |
| SHA256 | 6da26133de39bf695ba0ee5e80a95ad4ee62152341e62d958fbbe00128dc7eb1 |
| SHA512 | b7a1705011c2f493aeb60e21c76c1e362dcf623db5846338b874e42d3725956d337d368ab8f5fd0b31ceafb6bc33a4a930e31a0ff08fa03e799057307c9d0e7a |
\Windows\system\explorer.exe
| MD5 | ac90cc2b39d954efce9aefe86f598aef |
| SHA1 | ef0f725fadf49ffc872602d8d51d37bab5ea0c0c |
| SHA256 | d7be2b1901ad15fed1212533bacecde6566f92b35d00040e2a4479eb84c9f23e |
| SHA512 | 3a16a2872bea16b0314bc4d6828852e8a310fd3b272356d1dfbcdb4677cdb47afc5848e894ad481ae3ddba48e3f38148c71feaa4fe3eb281c63de50a6f4a9e46 |
memory/2184-49-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2540-51-0x0000000003160000-0x0000000003274000-memory.dmp
memory/2184-50-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 81124fc15031060b62aec6d1cfe5aef1 |
| SHA1 | db95f75e05c33fbb61bcafdb9b5bb68f5f7c2016 |
| SHA256 | 54c36bbc8231120e819577596de622ea12e7b33facf3879094b2e091fcbf7e74 |
| SHA512 | 8d52cdff1c4fb57cd1769b25661cfada286272c2d1a5edfba632feb5d0e4293e448d3d35b2779355fd4dc7a1a13afdee4b44bb72f44f90b07abe9de60f5df5c6 |
memory/2184-52-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2540-53-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2184-54-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2184-56-0x0000000000220000-0x0000000000221000-memory.dmp
\??\c:\windows\system\explorer.exe
| MD5 | 3233401c63e87beb409c5c935aeb594d |
| SHA1 | a050a193abea60c222873f5e0803a1eb0131f6bb |
| SHA256 | c701102144eed6c936d5163ba9b4f7f07ed8c1df546fe759186378f1161f06d8 |
| SHA512 | 1670c559db9d11ddabe5a60b2d981a41613dee11a1536bb52ea61d23d02a98a9f061ea10db4fc0d8895e2050d20d2ab18c221a75043b98db791d4f99b9128bb5 |
C:\Windows\system\explorer.exe
| MD5 | 177e2d616567f66c978047bc88c50784 |
| SHA1 | 720900ef0b4bfa98459b825f6e8c0c6ddf1b03ed |
| SHA256 | 07c48a58070b0d29cfe14dff017c47b7c87749202ad42f8d70533cb1bfda30b3 |
| SHA512 | f79268ea15128ab149730c74f1326dfc5fb3f8b6c3ac19de2ceacd7ce4ea731e4ff55102148e78c1277d545b41893e0f9a99e042492bf927ec0fff84980c415c |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | c6a829b78b42e688619477531d8e7a02 |
| SHA1 | d2070462023f3e0aa5edb5fef3affdd7649d41de |
| SHA256 | 8016394d9d7ce78709d13423b9c8a560f49799b77c7624e872c6d15e760d7936 |
| SHA512 | ef5024f430abe38414955bb59f5710ba0f15601a5a226f52a5a622b284060fb384ad252738ff8d81676a5d7cd1520bac992dd1fba0e615bdb19fa2e2a53f95a6 |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | ea9d5a44a88cc9f312ad6227f2bd342d |
| SHA1 | 5c9ba3fa1f8fbb353398cfe4ba67d4dd6f1f32a6 |
| SHA256 | 8fafc1186650c4929dd3beb3d2e82eaa0b50cbedc3cd46bb2cc8a75a3a4b00d1 |
| SHA512 | f78304b2f76bfb4d956c96b4b42cec0e632f18d8c5a45ad2ed078660f684d9c686be17d33d06650df87f26361a8298451a52d999d21a390eda23a4b16dd27d9f |
memory/2184-85-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1228-88-0x0000000000400000-0x0000000000412000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 9f85c71a79237e24fc80cdbea96da1bb |
| SHA1 | c725449b6af9554823228d5134015075fd964339 |
| SHA256 | a3b9153a022e47ab395b73acf5e471dd1baa9462e01d5b714adfc37730bb3696 |
| SHA512 | d056a9679bfcbcbccc0c1866a638aa5d3eff3890bc53fc5354ce03956a4425d53ffbd214853368bcb445252f1b48be91d93015ab44472c9a30bc93caab400020 |
C:\Windows\system\spoolsv.exe
| MD5 | 9c7650cb0965cb187f8715462e4faddb |
| SHA1 | 53b11aabaa7d14dbbea3042dec4c722acb8aa95e |
| SHA256 | 8fac58f140e42330c00f834291848d53ff27f80937a5e011e4e084658a3ed3f0 |
| SHA512 | 3755f0a0e059758a60d91173c9932c0ac031ae516aa32b22cdd6eeff5638d2cb4eee836733509492df1c956b6b313feb2f7502483e614633d8bb76c3ebef2e72 |
\Windows\system\spoolsv.exe
| MD5 | 0d27c60cca54fffbd4fcc8ba18be9896 |
| SHA1 | f85ba594ae06185277656f9b57894fb9e0cc0ea0 |
| SHA256 | f35c03ecda0e890b45e9e858c50643acb4d635339025e1972cabdda9908bc8e2 |
| SHA512 | fef1317430c884870b06494cab83468748655ea1f8ac07b10fb2a271b7e7bb846bfca1143e6e166720f403ab2e6d20df999ee0fb5d1529970e31bff754fe6c82 |
memory/1520-100-0x0000000000400000-0x0000000000514000-memory.dmp
memory/800-101-0x0000000003230000-0x0000000003344000-memory.dmp
memory/800-99-0x0000000003230000-0x0000000003344000-memory.dmp
memory/1520-103-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1520-104-0x00000000003C0000-0x00000000003C1000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 14d8ad06a8e1edc12b849c922f5c84e7 |
| SHA1 | 349f966cf60f2c097c91756b19c793e839fc8e47 |
| SHA256 | e02f6945974cd89443eda4e450be96d46f79054eb85c1d56ac173811e49ee220 |
| SHA512 | aba3dd0511ac7ac5401a20ce4849a94325ea511534b5bc42027c0530207564820c71bbb682d33d299a92646360a1a7dd79cf197b5b8fc3e0a4e505c68955390c |
\Windows\system\spoolsv.exe
| MD5 | dd4b7e8a4e5b697ecde966a46233cad7 |
| SHA1 | a6812c5b5c745d4b8c410f9afad0db060f5fc291 |
| SHA256 | c8b120c29373c63f84c13273c99d919967c8d5d0269571f4e0bfa5cc862bf187 |
| SHA512 | 7d124c0086ce620b559eb9d8d470c2bf023564cf8cf9b4ecacccea1e152337b3b2ba24ca907a60471f11f5373961629895377d2deafa8b48a41515640c853515 |
memory/2116-115-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 08d17d60a9b1cf21a53d13b805318035 |
| SHA1 | 8d9a21582d62c7130ac82c508ef80c8e8474e259 |
| SHA256 | 2d2e7852bd201e1e9670212e175b2d00754af8ea37511c97a64a64827c0a51b5 |
| SHA512 | ba713eb3994465b2eb4f82a1bd295b9a6bc4420d5bc114d77dc30f217e27c30e4293a5b426162610adf1112906b6476186f2a567bcd72ccff99fc5b8ba6a4655 |
\Windows\system\spoolsv.exe
| MD5 | 3af67bad37ffac13decb4195d1dbc3e8 |
| SHA1 | 7c59c4c95860131a61a7cb6ee509dd227a5b29ff |
| SHA256 | 2d622b9fe32292ae9cf15b5e176960e4a38e81f9b6dcc20c7aab899f4dd42206 |
| SHA512 | cd3aad367c8e8c6ace4cf065b37ea9a4acb38b6978873e6f61a803c6d7f7f662c40f60a3ef8efb782da01f074a5f96fa1297b10a0551c537ce8707373e6119dd |
\Windows\system\spoolsv.exe
| MD5 | a657a4a1f9a1e4f0f639d34f389602fe |
| SHA1 | 2b5f89043ec937f57fceede8012af3b96cf1ee9c |
| SHA256 | f4e5f6d30083bd6095cd6808dae1a8daf852a128fff58713ccc5ad6d5a6f6da2 |
| SHA512 | 0f298e341c9d26b31231c096628af297a3ae7ff622b05dc04daf4e5286bf498675b59d835a19f1b72de019e55dc98667cd2e53969fd09f3190da31d47c3a7b5c |
\Windows\system\spoolsv.exe
| MD5 | cde22949e9864b81046b5e6c48a38059 |
| SHA1 | 9f04f37261587dd141ea2f6c61a33c246ffca335 |
| SHA256 | 9628f8bc8fa367791cd374e99b451a532359197ddcd61eaa97d6a448b19e55d9 |
| SHA512 | f3a252013c010d911f84d26380c8e094550fefac0c43a6d2875cd202254c7f58c2f93afff66b664127a4c75f12f721d2c09e6b035a95cf5bd0e793a0c39ec9a6 |
\Windows\system\spoolsv.exe
| MD5 | f3057639c41cbc3a4edf9dd40ccad258 |
| SHA1 | 4c4ac99b273a535bf195fab53e7992ab185179d5 |
| SHA256 | c42f644f34fd18c0e5ac895d02fcf327fa06ea53d7cd56e3d24e2d42e3d01c42 |
| SHA512 | 23ec03104adeab5e85c36fed78705b30e94328391c1303d5c6937b59847bde416e4e45dbba782cc3297dcd3bdb2942161a31d320e4a3e604c311b9956a87978a |
\Windows\system\spoolsv.exe
| MD5 | 96d906f5fdb62d4ad27a3be4a6baeba0 |
| SHA1 | 33c098c1d0f13f28c8559af0b2766ee4597d5eb9 |
| SHA256 | 6d724ac3112fdabe60d25689babaaba347242a373d6cc2b754a9aeb0b7e29766 |
| SHA512 | 3238a1ff3ca158d5f7ad92e7659b59b494d77cd1e559cc0bd200018c90769834c04e8a506e87c8053f9089138db5f3b36164415d7ba3632a0503a862efc3c2f1 |
\Windows\system\spoolsv.exe
| MD5 | f80f7c1a2332e402dcbe57235718762b |
| SHA1 | 356d7df426c9f27b4a701e120b5f3be119c60fc1 |
| SHA256 | 5d482bfe9c2b68397ac6582f1aa0560dfaddaead42e223c49642f8f0049443f1 |
| SHA512 | 60f006447d3decf77df7e38cf9450b87d51101a439045610521b57321d99350fb51141f41a61e755213036bbf23a6d2837e734d4b598130d91605e9cb5dbcf7d |
\Windows\system\spoolsv.exe
| MD5 | 275da67b8e0f3f687682f06615c55904 |
| SHA1 | dec1f2e0f7a194cdbc5685db00c92ee318a7adf5 |
| SHA256 | f79ca4b4672d1e037f01ec2b30274dfa3a5c4cab8260b5fd00c301799e6097c2 |
| SHA512 | d0024058a09f6b189ba086ea91276d88b7fd84130e883bef599dc218d5817067eaa319ff25537c7e7ad5bf3263be814ca787f9e57d0f53a9a59ec4ffaa382e48 |
memory/800-123-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | b0b56ae510224bdfa067415216bad812 |
| SHA1 | f3641966b8507754fa45cf55a2abf183ccb8562e |
| SHA256 | 82f04f5de0cac9d63243eb631d67805a058c0c78d7d5a2e94c01c04ef7c3c78e |
| SHA512 | 6c5b2a78290e66e3aee623befe11ebe82bb515e8117b6c7884b61c107a2109699cf77ba0e07749f7786418bab36521732a71c101f3a9a879efd14474ec5bccf0 |
C:\Windows\system\spoolsv.exe
| MD5 | 45dd6003fd1c9fd66fd25e57129ae81d |
| SHA1 | e2fb74ed58ffb5ee4bf3ae58edab3d780e4ef5d8 |
| SHA256 | 4e221afb40a4e2da94933629405e5cc1403b1e404647123300746bf9092bdda9 |
| SHA512 | 995a79310cb464d5aecaecb0d59644e824758b48804055a79c54c566f3e2db79d0e59ad8d341e978c19807daa7d6a843d92c986fc8c4d3f234d832c7cd047f7c |
memory/1520-132-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 8f69546fe9216dbbae46dab84eb0befc |
| SHA1 | b79d5b3e1807726320dab94277d15e37d6d19c91 |
| SHA256 | a75733cce8208e4734ad87967e5b52a35d6c9a5d50dd71d9d0579da0ba5f00c8 |
| SHA512 | 36c20fb038a01ee75282bb30dbbf30b9aced5006626ae282e265588a4171fd24ea40fbc1b2c629663d9895ed694f0b920c9c61576086a3d9e78e09e6b132ec8b |
\Windows\system\spoolsv.exe
| MD5 | 7a0bde49424353a782b1b6adc6fcb091 |
| SHA1 | 54eb71c70a94773b35d539f7409a27771fbf1c73 |
| SHA256 | 3c5e389de4aef7e51e7c357991e91cf1f3288c780d5b19c08b4f23ea735b49d4 |
| SHA512 | 94c732319ad86412a85a8f0bd1bdd62a291ef7b3edea8ebb8a836a395133d0e3af69e438278494a654011fd2012b4c4222c5d25aba8fd1a5469be6d22b51532b |
\Windows\system\spoolsv.exe
| MD5 | d8f0e4e0ab2983695b7546784ed9ea5c |
| SHA1 | cbc6f42259c87e52f17dd5d77e69bff66b7cf202 |
| SHA256 | bc1b0e79b0020263fd0045f1914106ac4f4e60c3c7541ca34a2c919068837403 |
| SHA512 | d8b163cf048f845ccbd4a78273c5cb269db48504472ade3cc363c9cf3efb4a322871a357f1bc70992a10dd32706aa7d433833dfda3c14313423e5972cc8c2a88 |
memory/1080-139-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 42d53880317d0fe701b2486cf7fc8c44 |
| SHA1 | 321aae311f3f18360a7b255e98427650d2cb5f43 |
| SHA256 | 388c9339adf81a56058cf91b741623f3acd35e0cb253a562c74f311327171fce |
| SHA512 | 35c8d84d6255ffe03191a32ee4a2c229089883d0efe287a7ca371bdacade5a31b20e63fc502625f66498de810c2e891dece63edf0b6cd9ce943cc243032f8c54 |
\Windows\system\spoolsv.exe
| MD5 | d72d5cad5a6251ae264088c808e89117 |
| SHA1 | 25583117cee620ed253262684e2ea16a41ee0b21 |
| SHA256 | 085f1695cc36bbad248927d34092a65225379a1d72573555281f6a2723d41076 |
| SHA512 | 0e9c40089ad720fd67f2efcdc34c09448ad17ec80226e3940599303b28067723de60e263e8bef5cb9470e067cceea985b927ca7db39542b7e42bf4f0fbe27fc0 |
\Windows\system\spoolsv.exe
| MD5 | 870cd42db9be3757c0b160f9c8ada129 |
| SHA1 | d1ce501bbd2a2b7ca84476426ad5931af5eb4994 |
| SHA256 | 826851d5b3195e227077de5ceb018cf582cf7d2aad1a55f2ecc6775a256f88c3 |
| SHA512 | 03c82fa10d6806090629d695ae2d3d655e2ff425ef77ada7b0f158aefeaf88c779f4596b1eca94bd0c9f5882a5f4e9437b61a50dbe6b6798ef57a36e664b7cb3 |
\Windows\system\spoolsv.exe
| MD5 | 4e6ffc9732021abd9bc6909e59bdd29f |
| SHA1 | 49aa06a62d8b70bd21ddc4ef22b2cf06a380a3ff |
| SHA256 | 3e2ef3052a575b7186f0b2f923d01517c7940e30e270d57e8ae4200c6f65cd14 |
| SHA512 | e140056e287c071a80ee04147283824c4b773ff5a6ea15a715708d4632c1a5f3f15efc797bd5185e90a0cd533649c102146b956025c3c26e4e7b31a34a41a8f4 |
\Windows\system\spoolsv.exe
| MD5 | 3a092cfc559b7fb1337285b8ce31e02b |
| SHA1 | d6533ebb12ee93d856c009ab6090807fd3d714e6 |
| SHA256 | 8c4a2637460994a3a49c1d383bcf658546e73f947dd0a1cb0253c2b69a451e1f |
| SHA512 | b7cb135b17203394fcde387d53a7f6888d7b580eaf7e679f9ccb71e3891daad94f9515b0b0edfcdaca018efbd8ae5075efbd85dc55b623a6d637e67a6582abf3 |
memory/800-142-0x0000000003230000-0x0000000003344000-memory.dmp
memory/800-141-0x0000000003230000-0x0000000003344000-memory.dmp
memory/1520-143-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/800-144-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 92978569a37e84e95b84bfacb3573584 |
| SHA1 | 3078be2d293d3cf3a5ba9f460ed98151be154f1a |
| SHA256 | 07ae7415838fee607adcedef35de4454040dedd8755d4289ea077db38eb65a34 |
| SHA512 | 03cba5bcaf99a479d8a4bf3349c3b554b8745a598a50e780040ce1e22371667767c5f57120f987ee40f10cffd75d8204f9592bab53a0c7bce4a3e24b12a08766 |
\Windows\system\spoolsv.exe
| MD5 | d5aa0a5a08596d69eb33910ddcf9d10c |
| SHA1 | 6bd7a389d8f9457928ba27b4d60011b14158afa8 |
| SHA256 | f1be0ca70cd1edcc5ff988bf09d0da94a52c8a81b8a1c28a92cc5babd0a5d0f5 |
| SHA512 | 90bb651b9a112f68950b800644982516a5f6260cf545e8b951178d42a461317d9d888ed0cfe50ef58c39075db1b6312e894d9329da88aba7f2c5228e63616007 |
\Windows\system\spoolsv.exe
| MD5 | 6cd007ab0b6c7871422f5c6840355d43 |
| SHA1 | e84aa237fa71a0b97ba881017b114e55d5910315 |
| SHA256 | 4864b9642d67a48be0b65b43f7a76ef511c95116038fd99826cea194ef39c3fb |
| SHA512 | 6a6d48c973d4f1ec958cf5958e393fc0efc59128cd7c3e407dfc328c067e21ccae1cefa7ce8d43dfa07f36091388cae9874c435f8e891b769b8d317670e929fa |
\Windows\system\spoolsv.exe
| MD5 | 145d45b74862b5ea6f45eefac9a34e9a |
| SHA1 | 1734e6ee5824edcf757d8b3fc103e896c13ecf60 |
| SHA256 | d3e26110c2ebd2112942b56dad4b0ce136ff6d4835de6d31ca7ff0d8966a98ff |
| SHA512 | 0f210a11b45f8e34f9b082d005b3cd633c9f172db2719352904d582c7e8b812de40b79cf4bd9c1121d3d6ea243f1f0533c2ec421d328a19b37bcb23bc7e83a1a |
\Windows\system\spoolsv.exe
| MD5 | 864adfcd7722a66dc53c4d8b398beb0e |
| SHA1 | 8f304eeca7e4c9cf73ad3baa4d021c6419de3dbc |
| SHA256 | d522be96b13cd08d20b2a660a89d5b9fb2c003cba545d2d4729fa8f766b41f44 |
| SHA512 | c26a9d709c793678bb4764890de7b0e79bc467a617f522bc9d2bc1354cf911c123ff167e74b87ea82bc4307e22a2200f94b8e6d0bf90e099f7acfd39ec7ac1c9 |
\Windows\system\spoolsv.exe
| MD5 | 5a9f7205c6c8f6bf249add1821ae7d72 |
| SHA1 | f89c8629035ada0ed05aa84201bddb3fee91d375 |
| SHA256 | 49c64cd142aaa3374be67dd7f6b2154fb431a06c5db61a814affdf78de0b516d |
| SHA512 | 0d8302499027cd5623a907c7e4da665a72f07a83c7e020e2baa2da72d6b122d911a271d37ee0df542f0cc7d25f98951efb057dbf6001f74c8a504116f05be791 |
\Windows\system\spoolsv.exe
| MD5 | f91173417f60d68f8ce926f83c5509a5 |
| SHA1 | 40b7e88f4a9fea0404008aa2bcae96b146bc886a |
| SHA256 | e681d970608118bbca1ef380e9eadbddc262f86d0517d7be4f2bd2eadd99be69 |
| SHA512 | 7a0e5ccc7ae9597d5c59d458e4db91bf255bac5d8e53a1748bd311b3cc0837deddbe30ae50291cb3b1c593beb36b92dddd37b439f4e41468aacd53a48cae6079 |
\Windows\system\spoolsv.exe
| MD5 | 11656caf96421f901d9feac1412d1c4b |
| SHA1 | 91f5c53321e5c9d93e1a34757c1288442648c15b |
| SHA256 | cfce0c0a18bfd1f83356765b373ae1ce77380e9a3fc99834f8cf6988ac8b6570 |
| SHA512 | b4626809b5136b8c16c2ca2a7c9115b2f6bbd2fbc26e4a915ebb01ee476cbc57d6dae714d1c814fdb5f6bff2c39914f138b8c7329cc927aa13cf9dafd30b14c9 |
\Windows\system\spoolsv.exe
| MD5 | 1560e7e38d6da78032e008aa55f4dd0a |
| SHA1 | 8c517051c7c99d2cb99549d4e430769d29e2cf5a |
| SHA256 | 1fa8c9d4699a2dd838da0e28c8f375913f1d14e080342b80dc7eadb199b854e8 |
| SHA512 | 95f51edf7c9253d7d45fab02bb76e7e9fb8e8327c8fff7128a3f26cf719f0b943923391d1e720d3e98f9b1d683f4550accc581eec86097d4aa3cbb1dc4c7c31e |
C:\Windows\system\spoolsv.exe
| MD5 | 22677d77c1a8562e0e1000a6b871252e |
| SHA1 | e9ef1d2ca4e4a47fd29ec7f63d89cc020ceb0bee |
| SHA256 | 0b490f473ecd8e45f1de13200ad7071f0a6af226ee677983aa7629e44c386a81 |
| SHA512 | f1b94545cebaad9d479365ee51d80855b8ae9c73f2664b5db7557054cd9fc5c886b8add9c540f8037343e74c2faca6419ae18e4a033eb18839f9d5a9ef677195 |
memory/800-153-0x0000000003230000-0x0000000003344000-memory.dmp
memory/800-163-0x0000000003230000-0x0000000003344000-memory.dmp
memory/800-162-0x0000000003230000-0x0000000003344000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | b2fd3db31ced2514cfdfaa1d732cba33 |
| SHA1 | e383674f483f35c406ff2c90bceb37b51162b77e |
| SHA256 | 0559c36005a4524d7b60cdac38a27c5954ba1005fd9f7c336208f757828f6333 |
| SHA512 | ddb1c573007e5d279a19c80a300130ca40e9acedbbbb5577f45d5d825fe6784fed6ac54a5ad02139a13169509cff8adf1b564142a652049729c37aea0e60bbfc |
\Windows\system\spoolsv.exe
| MD5 | 54295b6ce261f634a949a6d5df3d9582 |
| SHA1 | 664c0b89fe17f70193f1996df787cbdc67c7e471 |
| SHA256 | d1eb2d65e114cd33c41366cefb83f97e6e94479370d1211a1471ff64250065f9 |
| SHA512 | b2bb5695901df86476e77cf46b9b0eaffbcbb4e1d79e8291583c1b62a7671732c3bb1db1e6c3c839bf3bace963ff1efeffcfe63e97372a0ef7d865de3e8c749e |
C:\Windows\system\spoolsv.exe
| MD5 | 735c5472921a4b4b1795ed5d62ebfcfe |
| SHA1 | 5152f65233d473ed267f1138238a1574e767fa5f |
| SHA256 | 2c07bff1d1294221355a5c08ea9df17b701ac1471f382a482bbf9c2cc2d8badd |
| SHA512 | 2b314bae8e9d2e15666a57da2c098b7089c2648fb9b03a6fb5c6df97a88782fb2c3b9634a487ed10dc6e8ab262be2128bfa690f9f8694dc3e472eb41ebb858cc |
memory/800-174-0x0000000003230000-0x0000000003344000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 589e3a048b65e012e8b269e78097781d |
| SHA1 | cf552a3f9dd0924d5cc3149fc4e92b0826eb5949 |
| SHA256 | b55fa47ea04564d4201d1de210246cf78e4122a822234dc87dcaf0a733589607 |
| SHA512 | cb60bd5d24be41475beac282b4c1d9c39429b104a4be7908824d5c2dfd8306bb53292bb15327f3e5b65a8bbb598ec0c941c30a6e8f870247cd62d984d5fb06f1 |
\Windows\system\spoolsv.exe
| MD5 | 740916b8c99bafe92f9b63afa929347f |
| SHA1 | 0c851c1b27315e6f54d35be8db42bffaf1eddffe |
| SHA256 | 01cbc883a6d7f4f05981e459ba38e065f79ba53adba00b63d3f2b82f57ab5218 |
| SHA512 | ac00f375975583aa0f9194ff5e69e0a08597d7266937949165f3e2843696122d10b2285b168311763690967520a8fe1e4fed4d3f352b8a97eaa28713566862bb |
\Windows\system\spoolsv.exe
| MD5 | 3b9264a1fdb96ed015ba348bac65245b |
| SHA1 | b9b3a60ba1bfd3f1c7e74541f2fa092d4afcbfbc |
| SHA256 | 5c8e2357763fc531cb68c2987ec84500ed3a5fe65adb74435f1fc0b288ccf403 |
| SHA512 | 5e4de12559c6b3356aefa1345a7ab1e9943aad2f0875982b35ddd978aec196ebb16b0743b433227e0b03eb12dfd67057abad70624922a4afe190bf5e906ca31e |
\Windows\system\spoolsv.exe
| MD5 | b67a0b1df923d13db86050014ab10bb1 |
| SHA1 | ced73caa2725c85ffbe98b960029fb2c509edbc4 |
| SHA256 | 4e0e91acda347666a3c1c171f36b66ff4c0a15ac569040d0bae2ee23119bf012 |
| SHA512 | fdfff51753de2d680dcbf07ec59b7a58691f4895f6d9449753fed5e510883c9aaf7d1d5d0b2128811c1f6ab6a1414f4a01f87290e42b26732f51a3c66297ee82 |
\Windows\system\spoolsv.exe
| MD5 | 29fdf865c314612ef1b18eba56308302 |
| SHA1 | edd323e22885a0549a5f97e27d769914ad22188d |
| SHA256 | ae4ede1d27e8295114d6d25537090c5b1500b8f4fa00e0ad323d9b082ec5367b |
| SHA512 | 6afe9540fde1b8c08e9383480894e52b6e8afb4112e3dcf2b9cbab6bab1577ced787d28917c8e3e3f8527af6650573e6efae2e6cb8e9969b07fcadd3572c8d1c |
\Windows\system\spoolsv.exe
| MD5 | f82eebd6fee380d7623b7d343d03a6b5 |
| SHA1 | c47eb41595d369bdd4f1b0c72cd7c13d2604081f |
| SHA256 | f8373cbd5edb9c07471f742c813296769bbedd5dd0fc9e1c81965e62ec19d74b |
| SHA512 | f6d66a2c57aadb92198624d5ac921ea660164648411c719b6c6aef687691590c4477c7bbdf0d52a74149129e79947d289324cce10a307723cc8e47bbb60df6ab |
\Windows\system\spoolsv.exe
| MD5 | 6d721fccda34f6a43de6c46f775068bc |
| SHA1 | ef8026fee90e2b32e3319341389f4f6fc57d068b |
| SHA256 | 289ab40136b8daa75187eee33ea894bcc471e31f55e2c7dffa768b5f33f0f329 |
| SHA512 | c815471ad105d859c032d0a187f7fc17357143b935872f66d3f25a670320cc272c7615ca9207dd61a64863e54bc92486d0b8515a4f95ef0f4084e9a54346f738 |
\Windows\system\spoolsv.exe
| MD5 | 276c67f0456d1c275c1dd237bd67fd00 |
| SHA1 | 59e2cd314910483f810d221ebb882403df23ee6b |
| SHA256 | 129edaa9276c7ca6a6259178e28dff37f8e451fe0755a8d5edfe4f2cf97093ae |
| SHA512 | fa0cf83ef203aa766fef068b26e4b9eaa5fdeafc39e5bc32d561fcd605b7a693a9fc52e86cddbf429aa02207695ecaf89b3533b455137b7be4b83fadb0913fdb |
\Windows\system\spoolsv.exe
| MD5 | 2721918ad37fb7c67da821e748c30209 |
| SHA1 | 8a871b53c6f18eae7a03ce02e4314090d9120b50 |
| SHA256 | 10b020f6e89b14d24d335c24796d166c7479cc4b22a941b0d6ef7a25d21767da |
| SHA512 | 9dea77379f18d0146102efbb4290e109669bea70a7b9367f764724dbe9b2b44bda97361b8a6bae3daa493953658c725ba0006090e8ab2971df8e2881e5a69e41 |
memory/1496-192-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 1959c1b1435d800fa3eaee886fdc072e |
| SHA1 | cab05659ab34c686f58eb66833bdd9878e89e41b |
| SHA256 | 37c0bd2530411a1a661b7d1d2e22ace010ed4b62ffb10d208ceffb99ec552d8a |
| SHA512 | 510b1b21e4554ac30f8926b17b40284cd9c88c1b7b3d3dbc9fae6571e4153d82486818879293648aee6bf53653b5e1cecf52f26839cd58937d8a6af46de7bd57 |
\Windows\system\spoolsv.exe
| MD5 | c1d86839b95302e13c16ba2545c88006 |
| SHA1 | 0265daf0c6d6a5472f697cc8e09e03d43cbde8b5 |
| SHA256 | 8cf16c96f5e04ecbccba97003b4899b056c953d4cec62648688719ac197354f1 |
| SHA512 | c9458a282d7ff672566084bb05599d2c2dc9bca1e80f020b5c47422cd97f9fb76c06408fbb0539bfcaf86c407e7c10f10fd4945ae44fbf14e38977247f4e067a |
\Windows\system\spoolsv.exe
| MD5 | 2a4db667b91a86e9b9a40a33c2a02471 |
| SHA1 | 21e2d83a556457f04ec89d6b7ccd7e581232616a |
| SHA256 | 78d6e86ca4d079d6491084c95c712a5649fdab0b2ade904649df020dea491d1c |
| SHA512 | 6b10e071de537aecdc36f70ed6d2cc04e473a3f15efbc8c6a91ddf6134a916663e2f04b6738e05dbfbbdf5ee1aa1389749223c8d5d95f67956e557a169c96859 |
\Windows\system\spoolsv.exe
| MD5 | aac0329c08c005164c670640d42b0642 |
| SHA1 | d3a27e155406884034410fe34fd5a2a043907f60 |
| SHA256 | d5f45b1c2c3d9638cfa9051237c9300b868122d10243701d8e80c3b398e99959 |
| SHA512 | f9b3cae85d4c17171ed196cba43a9688ccb497b134d4574f84ed7c0685499dd43977b2fd49626bdb37fc37768b46dc66086156fff146177bdeebc33a9a641d4c |
\Windows\system\spoolsv.exe
| MD5 | 7ff84b5dd56895c9927c07443baf4e97 |
| SHA1 | 58264f62bea4b611d0ac18a7f6ef9dfe874823e2 |
| SHA256 | e828a8658f3e4d526ef118fc8e31ba3b53ecd520442b4c2ffecada4982f72ef5 |
| SHA512 | 70fd932d160b2b221fe9aafcd0c2cac8b2da924dc4f85657d806a43986d01d3a2df9812e58606930adb17cd769ad4a1f2c9f39ff2ace72c4671e87e575f2788a |
memory/1520-201-0x0000000001FA0000-0x00000000020B4000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 584cc851aee44ec1ea9fe4455f8de7f0 |
| SHA1 | de2166a2976b4b426d63125facf325fb5cafaab0 |
| SHA256 | e932cfa4a5977361963c59abec11ba6aa4a18af7614e7a35c81b9c8906c96794 |
| SHA512 | ccbb961edeea4a60e88a7b440b7bf61fc0c88444283369c103eed11be5ad636d7794de1e2459d6e5a0739077a622961ea233b6b4683071254abb3767a27f997e |
\Windows\system\spoolsv.exe
| MD5 | 6cdc95db7c20e9be4039423e6547e7dd |
| SHA1 | 69c6a5adc3c8fedabdc12f9603eb4fbc7474969a |
| SHA256 | 92f63247ea8628f5cf68d7e95498ca2ec76eb15e576f4e52b3fda972e7c32dd6 |
| SHA512 | 31ed43334fac8afb93457c691192820f6ba3fa7ad5c7c7b0f717fc8ac3b9f9e6cce4acabdb22659b297ed8770961d777ce6d5ef89dd0a6817af79708052891a5 |
\Windows\system\spoolsv.exe
| MD5 | 3019045be239ac3b16202c35783424f6 |
| SHA1 | baccc86230dcff16c7bd85fee8f20df89670bb2c |
| SHA256 | 6975c3f90b9ecfc8b3b015d2eed06d4e9012d423cd9831443f6d7b574d791d41 |
| SHA512 | 198f2eb2af87f976163c3a278f1b2e08ad5c27ac865259ccc367c84d336e6d2b8e0fe3620997af1d2f322094effd8214b7d99a7735755299bf5aad9fca5e7a3c |
\??\c:\windows\system\spoolsv.exe
| MD5 | 3f80e1ac25d0c6267f63f0b6faca28a7 |
| SHA1 | e78acb520a0e6e22987366b1db199db8f5df3168 |
| SHA256 | 8d02c4e1d9886a5bb17ebcce868ab657e8c92e58c1326037c88c90a425843529 |
| SHA512 | d2db8d64fe8cbe149569ba447748f63d029eab2d3ad7911753032b3b08f094cb9314e0f1b47e48597cc8738cdcc5e581ad8e3be1e86d068963de19aa0d09df17 |
C:\Windows\system\spoolsv.exe
| MD5 | 3cd253306716d7e6842de119263d7107 |
| SHA1 | 34ef683a22b245ed4381fdc354db00fddbb6cdfd |
| SHA256 | e1f139810e004b0162959f7e07cabf11458eb6f2fd2ddfb7d2a53d89be3706ae |
| SHA512 | 35aa4306aff3ba43871e36e37ed179f2df8db09b31936c8e34f49c390562d9e72da74daae66e653570e368783555bf1d7fcd535fa878fc8fb48f3bbeb305317d |
\Windows\system\spoolsv.exe
| MD5 | 6bd808badc5206670474c734d3da9e31 |
| SHA1 | 5dc866f47153b67cd7e0788bf26a9093f1ce2ae0 |
| SHA256 | 135fea20c1b1d3ffbddf8f50f327d46d0dde8bf16df71db5c34c2e7c3e7258fb |
| SHA512 | 198aa589907cc6381487023912b08b95ee6769090df4e0083d84a6d39866e3dc105436a328f054544ffcd0c54133213e09a1651c0f39d772892e7b7def4468eb |
memory/2212-231-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1520-229-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\svchost.exe
| MD5 | b494f449aebdbcd991211557c73fd793 |
| SHA1 | be68d204cc358787a07594b3285f0fd6d1b72411 |
| SHA256 | 33e0f114ce022c79ef8a19a1987dcc154e3f59d9adff516a6c2c7ab851b681a1 |
| SHA512 | daf4403fa8bda054aefbf7e506253c943eb337cb9a71862e1ce50fa1f582368592b22d2231362327f8bc86173bade92e17a28e17ef6c98be8343e63bdfd01d3b |
memory/1560-240-0x0000000003060000-0x0000000003174000-memory.dmp
memory/1560-242-0x0000000003060000-0x0000000003174000-memory.dmp
memory/2544-244-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2544-246-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1560-247-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-28 23:09
Reported
2024-02-28 23:12
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" | \??\c:\windows\system\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3744 set thread context of 3504 | N/A | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe |
| PID 3744 set thread context of 700 | N/A | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1640 set thread context of 1360 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1640 set thread context of 2644 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1588 set thread context of 2648 | N/A | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe
"C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe"
C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe
"C:\Users\Admin\AppData\Local\Temp\ad1903329f84980bd2bbc5b877778daf.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1016 -ip 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1508 -ip 1508
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3228 -ip 3228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2276 -ip 2276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2140 -ip 2140
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3220 -ip 3220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1092 -ip 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2196 -ip 2196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2224 -ip 2224
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1952 -ip 1952
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1632 -ip 1632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1688 -ip 1688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4284 -ip 4284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2172 -ip 2172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2764 -ip 2764
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 732 -ip 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4616 -ip 4616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1060 -ip 1060
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 988 -ip 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3920 -ip 3920
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1844 -ip 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3720 -ip 3720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4828 -ip 4828
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1052 -ip 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4904 -ip 4904
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4836 -ip 4836
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3492 -ip 3492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3800 -ip 3800
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3320 -ip 3320
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3500 -ip 3500
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4492 -ip 4492
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4108 -ip 4108
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3248 -ip 3248
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3816 -ip 3816
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5060 -ip 5060
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 236 -ip 236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3060 -ip 3060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2888 -ip 2888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2460 -ip 2460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3168 -ip 3168
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3056 -ip 3056
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2348 -ip 2348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5028 -ip 5028
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 472 -ip 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2648 -ip 2648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3732 -ip 3732
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4836 -ip 4836
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1992 -ip 1992
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4732 -ip 4732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2032 -ip 2032
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3328 -ip 3328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1132 -ip 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3812 -ip 3812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4768 -ip 4768
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2592 -ip 2592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 976 -ip 976
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3152 -ip 3152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5060 -ip 5060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 116 -ip 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3488 -ip 3488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3168 -ip 3168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3720 -ip 3720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2952 -ip 2952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3880 -ip 3880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4572 -ip 4572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3512 -ip 3512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3276 -ip 3276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3492 -ip 3492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2692 -ip 2692
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3328 -ip 3328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1972 -ip 1972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1304 -ip 1304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4376 -ip 4376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1248 -ip 1248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3248 -ip 3248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3696 -ip 3696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3792 -ip 3792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2252 -ip 2252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 484 -ip 484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1888 -ip 1888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 932 -ip 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1884 -ip 1884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4208 -ip 4208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 472 -ip 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3044 -ip 3044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2648 -ip 2648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4504 -ip 4504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 384 -ip 384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4976 -ip 4976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5032 -ip 5032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1976 -ip 1976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 400 -ip 400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2532 -ip 2532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3236 -ip 3236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2616 -ip 2616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3876 -ip 3876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1524 -ip 1524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4108 -ip 4108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2592 -ip 2592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 424 -ip 424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 656 -ip 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3288 -ip 3288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3440 -ip 3440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 556 -ip 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5072 -ip 5072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 116 -ip 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1520 -ip 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2948 -ip 2948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2348 -ip 2348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4264 -ip 4264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2604 -ip 2604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3476 -ip 3476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3880 -ip 3880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1500 -ip 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4844 -ip 4844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2196 -ip 2196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2692 -ip 2692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3328 -ip 3328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1972 -ip 1972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1304 -ip 1304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4376 -ip 4376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4108 -ip 4108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2592 -ip 2592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2580 -ip 2580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1852 -ip 1852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5060 -ip 5060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 980 -ip 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1168 -ip 1168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2700 -ip 2700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3168 -ip 3168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4440 -ip 4440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4264 -ip 4264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2992 -ip 2992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1052 -ip 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4904 -ip 4904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3332 -ip 3332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1180 -ip 1180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3012 -ip 3012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2224 -ip 2224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4456 -ip 4456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1080 -ip 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4704 -ip 4704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3324 -ip 3324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1684 -ip 1684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3696 -ip 3696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4324 -ip 4324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2252 -ip 2252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 656 -ip 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2708 -ip 2708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3540 -ip 3540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3940 -ip 3940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4000 -ip 4000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2700 -ip 2700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3168 -ip 3168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2348 -ip 2348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5012 -ip 5012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2220 -ip 2220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3256 -ip 3256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3044 -ip 3044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1860 -ip 1860
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 192
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3744-0-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3744-1-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3744-2-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3744-3-0x00000000009D0000-0x00000000009D1000-memory.dmp
memory/3744-4-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3744-6-0x00000000009D0000-0x00000000009D1000-memory.dmp
memory/3504-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/700-13-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3504-15-0x0000000000400000-0x000000000043E000-memory.dmp
memory/700-17-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3744-18-0x0000000000400000-0x0000000000514000-memory.dmp
memory/700-20-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | c21d71c8c2bb625c8579b0025bde6f4f |
| SHA1 | 11ed35ddbf4e9c47fcade5cf45f1cf272dbbc70e |
| SHA256 | 3259b4423f7149a0f01a1fcff780e5ae7cb5151d2540b3660eae69375171595a |
| SHA512 | 0c4ad3d73d8013c867b29cae6847e12d02e3708068eb305c72a4a88dc159d16be397628bc7af0846d29848f0b7a49e0034adf98389eba65141f74032d0d3a0a5 |
memory/1640-28-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1640-29-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1640-30-0x00000000007B0000-0x00000000007B1000-memory.dmp
memory/3504-32-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1640-33-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1640-35-0x00000000007B0000-0x00000000007B1000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | f346e36dbcde7d5896abca598f633ce9 |
| SHA1 | 0e8219c9be7820d83168d6d4c4a204491fe735a7 |
| SHA256 | 4bb5ac50394f518b84bc21280bd2c52378f1920ef93e8cb900082730c1dac310 |
| SHA512 | 044cb3c60318ade1856c3916607c4ce6dfadfebb278d27b0f893afa6be1b8ed43f5f0f9b23106c976252ba0547949228268c81906070401f3cd946acebdeb942 |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | e1397348a5304e4418927340be454d34 |
| SHA1 | 2279c1323b37e0e28640935faf07763189d4e228 |
| SHA256 | 00528afec0ddb06b6a1606b7c5f9de87f52ee6c5b2daed14722fb80c62a35edd |
| SHA512 | 4e111a4272b0ea155f2687ecbed8ff5efad1dc062e28315e361bf4eb52f039d5cb264d0d2b1ee4029f005e37b82608857b83901c066bbf915655624edff558fc |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | ccb82016ef2b1d597d755d19277e01df |
| SHA1 | e56b1fdac240046b15f352b2bbf62b19d54959a8 |
| SHA256 | 985293a45367a054ed78814651b562bd3c96cb54472dfb30bdb6f94b40af899d |
| SHA512 | 93fb828045f538eb4e7f7c58a0d303e896f8033ac0a29c8185700d2ce21a1f0b503366b5fdf5d644724c58a764229ed31172a2452669c271f362f94349a74789 |
memory/1360-45-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1640-49-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2644-52-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1588-62-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1588-61-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1588-60-0x0000000000400000-0x0000000000514000-memory.dmp
\??\c:\windows\system\spoolsv.exe
| MD5 | 9e216fa6687e5fd5c4259dbc3b873a89 |
| SHA1 | 9f1488b84a55261c492b7688eed29d8ac30f7cdd |
| SHA256 | f60d1e5dc664dedb5714a24d1d0ed4f63c10776ff46c4e41e64409a1c5cf4ce4 |
| SHA512 | 0e4c3cb0da7ace6aa001f46a207f6a57591d67545fb6d3ef387ecf6f2182ca51ad51652c94aea2fe63f2efd56879b477de6c2e37c8aba4b4e80d2dc3ae5217f5 |
memory/1588-63-0x0000000000690000-0x0000000000691000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 1f5330e950b9c157841cf438a94f519e |
| SHA1 | f600ed33773559489134d4f07b4b1428b44b4044 |
| SHA256 | c68c0f27bee7c86aaa4c0f6ae2e375b00e36d3001d014551f20d5bec9641f874 |
| SHA512 | b5a7d5ca85b9d5a402c795441a12d0a4a40bf403d541c502ac0485b94af4cb20bb091b572f945af6027358c87a1ae48097a358c9f69bc105d432707c44af6b76 |
C:\Windows\System\spoolsv.exe
| MD5 | 14b4b40342e6561032f3a130f249b89e |
| SHA1 | df9862f5000203bf2f09b808e369cc75dffc89bd |
| SHA256 | 18c3fa012ad321b8e29490f44d1ba66e902e1b4540832f69176849b76cb8805b |
| SHA512 | 3aca4b3f853ed746d809eefc983fa2fc189060390e3d28e4df4dcd246c90d362c3abd33cd28a35c103a17c7f652618d12f0c36dde6e6c804aa492a8bcdbc531d |
memory/1016-67-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1016-68-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 12c9448200437cf0fd560ab19625670c |
| SHA1 | 81c2cae606c6b7a5a84efc79a8699f85fb9e5ac2 |
| SHA256 | f7918d567b7b69d74e83c1336647ea6127a2b729e0a17e6f5ed0eb1534c596d0 |
| SHA512 | db7bc75d99576d7e92ff09bd7294d3737e1c23ca1d7e591371794efd133eb522692df0a48232737290a1d2464cf5f9707a1841afdf6027a207aef6859b95b464 |
C:\Windows\System\spoolsv.exe
| MD5 | 4c9383d70a36c36ceda23bdc93fdc8f4 |
| SHA1 | 737a3b6191cf64ee494f3960595b2390dfe8e0f7 |
| SHA256 | 079510ee335791e21ecdc08090e10a23735e476f928a75173ba7af673df944c2 |
| SHA512 | 7dd6889f3d485e9baf6e72aed612b73fd18cf7e969496477c8cffe27df2095e484f5590859350857dd64e8b8c4d312baac1ca2e3cdcf4fa268f59f8e2530e6e7 |
C:\Windows\System\spoolsv.exe
| MD5 | 90ce31d89e95f023bd93a0db01c90691 |
| SHA1 | 9b004ba21efda8c296526c37b8db9a9d95f1c06f |
| SHA256 | 4d71fb3d35490be01769ac8a9dc57331e457d10b02a698e2f6be96bc6f4bc07c |
| SHA512 | d52bc2aa44118890af2683ee43492b025faf5ea6cf184c2bb706675a8b201411a21c8d92137181d7c3780bb96420eaacd0c8dd12dfc00fe2c75d9abb7caca68b |
C:\Windows\System\spoolsv.exe
| MD5 | 3cc6f1864e0ed09a5f441f43fc060428 |
| SHA1 | 93539153ca3d182ee59650bdfeddaf1418f2a84d |
| SHA256 | e817426f0bd82a8bbd32e37e9d7065e21602ba4cfd4cb0f9187a8c9e97839bc7 |
| SHA512 | 2fede301e0e6aa285c3ef967dc9cf912091cbf8f9cd7cb77421235ea7fad03d086a63c451c7b7279957bce835db67277eb2522cd058b0d9c804be63b6066ccf5 |
C:\Windows\System\spoolsv.exe
| MD5 | 743d49ec6461ed5fd394a4924bb1a63f |
| SHA1 | a24338299b397832bfe6497c447b0daa1cbdff53 |
| SHA256 | 0c3bfde3a02dee95d40f29624a455f9ea403dcab3d6fa28ecae1f0cd07b55dda |
| SHA512 | 5a5685cb470c0974b5faacb64143e426d7240591ca15925f445c616a6509153f45fbdd5e5f00b3bdcce44b5ab407e6f13ff85d7c8578e11f4f13f3890e6ebcc5 |
C:\Windows\System\spoolsv.exe
| MD5 | 5d6f576d268f26f50541fb1884b4a529 |
| SHA1 | 097edef9676f1e26fcc428ea695bd43a9f386313 |
| SHA256 | 4fcab141c02b8bdc7709f5d5822880e9353f4d25dba14a1c942ea4da8040c6ae |
| SHA512 | 30b7f0cf737238999361b95ca69d561bb51ef63b83afffa50da8f729698987c55ed95c76182cf5e051ab48d83a65701eee9757d29f2c6f0673372b303fdd9db3 |
memory/1360-75-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3220-77-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 0a99e413ee2a099ff0a44d7e16e81bb7 |
| SHA1 | ac1ec8994d9ae372aa1f8a661b4ecc1928d00d47 |
| SHA256 | 7dc19f181392d62d51de5060acc9662ed824525c4287eac9bd706f5f645f8cda |
| SHA512 | 17fb5bfb2c9df8928d8ef34e3929a98efc4180187f1f49131e83f0b015d1e7b30e9efa63e1d2b78cdd39195eea2a4fa92855485ebbd9c73d448c1811258bd73f |
C:\Windows\System\spoolsv.exe
| MD5 | 5313069406c4894665b964eb562304c3 |
| SHA1 | f398e3c22f72e57488324c823458fb092ec3bfa1 |
| SHA256 | 351d9088afdee84c329df84bf2f058e80dc5cce4890ba061d6e241e7301db1bd |
| SHA512 | e5ef1c5086855faebd298fc2f4f83fac54a95e586f6a3e4d37a3503dad68a5d30dbe2790d92cfea29c75daeac6e886d98363a5ce608ac54f6d16fa47cd6d8dcf |
memory/1588-79-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1588-81-0x0000000000690000-0x0000000000691000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 8684a13d0dce04813d9fd984a4296462 |
| SHA1 | 8ee2094a3d06a38e19c4f3754831dc38ed42f32c |
| SHA256 | 52a7435ef457a2616dfb5ba311faf3f44da1442293e93dd67a578348f6585a37 |
| SHA512 | ac4a3abd679ce44a255a46e6748391a2fe1edfb1a2a04b87f7d1cfb1d92a9fd90d763539c86d0d8d1cbb512afe6b7fb18a4432fd628604ad11fd17b5b7dfe510 |
C:\Windows\System\spoolsv.exe
| MD5 | 084c808df86751a8702706a3ad2385ca |
| SHA1 | b449bc76e1b1abf11f549328b9967c3c7e839026 |
| SHA256 | b6540e35551ee0d680a47cf2717e6442ae518489a871584aa392f4a9979363ca |
| SHA512 | 7de388b78b938ab677479b1eb8fba98db6e4d6df65d75a24e6371821f0969d38c5f526cbec02510a2989cff256a7a68c1b7dce42af35187036f3a21649404976 |
memory/2224-84-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | e7b976e7f92c870966a6b49c00a578a8 |
| SHA1 | db4b5a2e67972caee1454d468f9b26663861b6e0 |
| SHA256 | 631ac4e6faf73edb21f7315f2a2a19be250ed217171f0ffd9d331c4d5d56cc56 |
| SHA512 | 51cbbc357e01c59b870908ec8b9d14d7944f9d530bf9eaa3179a37c70707dbca43633b065bcf42fae55bebcbe9ec2a3ec4e99fe93c507f3d1b8716a028e971f2 |
C:\Windows\System\spoolsv.exe
| MD5 | d2c3e96c4246ab1be9c62b2d158f96b8 |
| SHA1 | 6bc0cce611636ad822fdc074d68183f1d26019a0 |
| SHA256 | aa400fecac6632f1ed4a0b52be245083b0edb255a2fcda6b2184302b97dbb56b |
| SHA512 | cbb77f5b7b525a8bb9f87794b0c7792f0d1234a3eda662f225d3bad9d227a9188fa762df71eafa627be02e351902e8c426b4e9e1a3298d561a3b2ab8fbb1754b |
C:\Windows\System\spoolsv.exe
| MD5 | 9831c8b4b1be41afe4c72bfcc338b624 |
| SHA1 | 7fce12187ba02fc1601ba1d96278f5bdc29d530f |
| SHA256 | 759d78cbbe719112d4f1b5261c2db69fd045616af3e470bbca1e9d117ab1cca1 |
| SHA512 | 44901a9affba09dcde85bf202c345c36bda6ffa277c59713ee86448374919a04d835d03071b9dc352d248fd8c4bbda725ca769e4835f992380097a3202f2c5a0 |
memory/1632-88-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 22c048a0986b89f89f2e1d16ebef9dd6 |
| SHA1 | bbc53971f2a1777c4413195236a16677f009492a |
| SHA256 | c9f8fc966b587bc9e20e06421d367720fdc9c523d9fb91614e145ec3ad9aa9a0 |
| SHA512 | 2b1d72ce1a9d7461271a11c125cc8bbefc1421de254205789335634070daed3a5ee088ab34ca4b90c0609396d4de670eb4bde5541aeb72c7ab207539fff45892 |
C:\Windows\System\spoolsv.exe
| MD5 | f6ed49b55df36f14401faaf4ed17cf35 |
| SHA1 | 76515fd65030ae7a0f5534de5aa4f54e4e429abd |
| SHA256 | 61954a7db7306b27c1635c7684e2449a0d6b36b7db25bec9afa5e3cbec4b9daa |
| SHA512 | 26edcb6d89d8d0574f2c3be4d19d5afa619939b8c81942cb5f8c22166e2ad99b3bd9bb7f82c2863c0e7f9a305e1d6bf7b7bbe1d46b421df9e8169823f06e465c |
C:\Windows\System\spoolsv.exe
| MD5 | daf488e831d9c3b662d9c56109740c81 |
| SHA1 | 51c9e20c044d7fc8e2980af668308d8bd0d2304d |
| SHA256 | 95ce020ab167e852bfd1a1f38bd2914e12d079996355ebdc10a4754b139b08ed |
| SHA512 | ba67c4f262a9141647fabc60f70566a365d29d3421c5231ace8a1b3e95fc727aaab71c96d15cb79b87c15cca33543f6b8e855a3f5d40700e72140edef3c347bf |
memory/4436-91-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 59df6ea9c020fb8b3da8e20e06270b62 |
| SHA1 | 5930941a196f72a18445a3916072dd820ab1caab |
| SHA256 | 6dbdf9735704eb4319eead9983b4c998150083a698bf2e5297270d3d48565cce |
| SHA512 | 3335caee3ec90bb0f6baa35b617b38221d6ba92c7e5ed369f6a400c69b98198f7e7dbd7689d32721c59e7a4e8c5c6a52dfdf7db4c054984a4ddc0b44b334bf59 |
C:\Windows\System\spoolsv.exe
| MD5 | fe2cc05a7c76e6b6c855b604b2a78011 |
| SHA1 | e6c3f6b92493bf41173996b6458b5d4001031da7 |
| SHA256 | 3d279ea7a21bfc902dd46a7f6a5a4249e710bdc8c74214a7fb651b7ca39e31fb |
| SHA512 | ff921970afe3c6edeea342ac65b1ebce43f92954283b962496560a594c5da756ae504667a102c604310328c74a255106e6f32ac3036421c47afaafc76d5fc8a3 |
C:\Windows\System\spoolsv.exe
| MD5 | 842f4b66f38ad6ea766466019305ba8b |
| SHA1 | 87d204326f8a95548918a5b0dec3d6315c80b1a9 |
| SHA256 | 18ce5c3e757614fed5697dfe8822ac4d79508ef68d27f93f2f5f310d59a72d15 |
| SHA512 | b542ac58bb9de982e6306bf690aeb27ae28dde931bfae1784c175690e549d774fc21cbde349c3c171d976d23f3fd9bea5c782f8fcd1be86406bcb131c47a4f26 |
C:\Windows\System\spoolsv.exe
| MD5 | 7b5d84c543b897938128944a4529ddc1 |
| SHA1 | ce4decb7df107247f1fe0febf92d751e7c758825 |
| SHA256 | 310b64703896a6b7da46f35d14d44beb12e94dc20c27c38073db432496ba48a4 |
| SHA512 | e3b9aafc13d5917945a2c137ff1e82df4adf692fdb4de8e5927ef164a6177dd9bd6a70d8ed51f95b04c78cede10e86863538e7600fc8f52bc1188c295311869b |
C:\Windows\System\spoolsv.exe
| MD5 | 1486d557544f17bedd9f1e922360c0b1 |
| SHA1 | 9b83648bf8b9ceb20d58b87a2476f41837045e0e |
| SHA256 | 0c7200a7a13ed5a874ee62ba97bfa9a88f57f17ea31c6da932732532bf311432 |
| SHA512 | 50c40459bf8dd505e11fb8bce68bbd1a6317e604e811a5c314dede9a086d2e75975a45f1568bcc4e0807661b9cf850483e29787688c97666b89bf5d2ab3ad016 |
memory/732-97-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 86f7e86fb0c090116474779a649cd64e |
| SHA1 | 84f6f45cec776f998646a7723d72e228038feb26 |
| SHA256 | 1baa71adf2a50a43abfb2779960981649db2d12365468ece665789830cf0d35c |
| SHA512 | c3879ec45683f02cbb9d8b82010691070231d55c03f7262ebda8bd48a03a25c065fcd5e80195875edb48987dbcc1c4830ef79c75b0679814819bdb63f4afac42 |
C:\Windows\System\spoolsv.exe
| MD5 | 2c68e3115bea2b1f7c39ac6cbe5c549a |
| SHA1 | 43970a6d1960796d51680d1f1ca520ab71b58ecb |
| SHA256 | 7647df5b0f32e7306c0a42714196cdbd48c9f3d0990b0fbdfe75017421051cd7 |
| SHA512 | 3e6b2ba9e6bf5c0766c0919bd75cca4f2b5c8626c3150f6f8a278a049da966ef8de5fa201eeda87b0ac06246e302bc41f77cd252d50025e24961802567b7e6e0 |
C:\Windows\System\spoolsv.exe
| MD5 | 0f068055f174fdb5ec7a62ed13430554 |
| SHA1 | aa307e03059549a4c2d05c84e055f892be2b8240 |
| SHA256 | c9b957a9c8722cff209b810867b9b24b63b79c6aaca89cd4844fcfd856aceb96 |
| SHA512 | bd2abdabd789696d834308f834370c7e655465f077746fb3bce6ea5acd9eb5385693a3159a034ba8795525cbc3a70310b7baeb84837a093f07e90e96b4b8c93f |
memory/988-101-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 281fd500e21a98cd6f5d11cbbcff9b5e |
| SHA1 | c1baa1bf3002773e3202b7f5f948362039d064c7 |
| SHA256 | a78a3ea8e8c6e7d3ad1f0edb31a6277e6329a1ef7cd725c3727469eac13c4364 |
| SHA512 | 3df51da15d2966e8247f72751276e544d7881cd29c03757b88dec692ee36e79cb874ab9cba2a4ec04151c81ac8c341a3c6385290047dfd7c84ec1944940ec182 |
C:\Windows\System\spoolsv.exe
| MD5 | 0afa8e7458dd38e3f4f82d75819557de |
| SHA1 | d8e53079175d88dcdfbd4d8a5fb01a8ea1ea0b6a |
| SHA256 | ae246fe6632b86cea27a665ac28fbd58cf66f841ab06a359b650c7792fbd344a |
| SHA512 | 058a417dd8b0fc67fe12743413bd8495412f67b80537cf9a4937cbd8d80714b39eb89803dfe2c1a69821bddd2d47f3cf83b579da570cfac110b80708f38da8ac |
C:\Windows\System\spoolsv.exe
| MD5 | b3ce70d9cd06e497c03c64df389cbbd4 |
| SHA1 | 29a87d18ee77e2cfdb602c1ae8ed4f277c8d95a5 |
| SHA256 | 9d389f64c9c26c673c61a3a2c7907d4585776a55185af814eca752540c08614f |
| SHA512 | 770be3f7ad90126d743fb495ede86eba5f4a15e81f1f6cea0bd2c5ce7a617ff0a039b5413b632b503ddaf6840be2cbc87e203068a6f965042f4694cf1dee508c |
memory/3720-106-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 39d0a72dab6ec73e6090035517076a73 |
| SHA1 | 2f3f5275774e262318e3306e9c71f436975a23b9 |
| SHA256 | 7d0090fd14510a41f797528052ce6dba92dd2745b76b42e74ab04086cab00d6e |
| SHA512 | c02483b2ae4cd02fcda4ef48ff0f4484883df13e29657014212320d33043b5e38b186c7dd321fd8b5e823e4efde8042ba87a462ad2f98e489af9c0854166bf4c |
C:\Windows\System\spoolsv.exe
| MD5 | c1b7feb8fd56b2315d4fee8b399b9bb9 |
| SHA1 | 2f2d20c1e1f0aebae2b8e41a9f871887aa9b050c |
| SHA256 | 2479cda500bd51ce2d3f1069a520e9490c865d6bb65ad7ebc73f0a92e4c31ba5 |
| SHA512 | 2054edbe45f6451adb09e74297a12dd2adea56fa2f5488fa52b5fa5c680d8ea8aecf7f501579370d9cdbc8871e55b9ca425dcb6b9693e6808e8cf0d67781a407 |
C:\Windows\System\spoolsv.exe
| MD5 | 36552b37cd8eb08e5410265d72a07a11 |
| SHA1 | 2ceb086b81862cf0d178be056e75dda6f84fffcb |
| SHA256 | 960d5740fe2d6224a8a0579c00ae47845b8ec5dbe634c4d0357f54d2f1c23c12 |
| SHA512 | d0cb84ec892d7dc0fd48f2135227efb3930486cfe2737eb5674bed584d31abc4e29834b55231b20f8d9c31e0ddc9e99de269fb7f0ebb87646dc2a692237a12f6 |
C:\Windows\System\spoolsv.exe
| MD5 | 7105cd75e9c68b9ecdc6a3b9cc23f78d |
| SHA1 | b7a92738ac425fd59fecebaa24c2095d38674867 |
| SHA256 | b5f5b0832c163e26991d52cbc747aa5e300753ce801513b8f416ef94e09549df |
| SHA512 | cdb2075a716edae1e68198e2e40f98af48cb2c39b0cb2c16248ae95c89cffed6de3fe17f3cbd2e97c6209d27ce09265cefb2a43f7f0826758d4dfa64353c7286 |
memory/4904-110-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | f3943f02c907ce4044e28f157651afb4 |
| SHA1 | 6cdd02688e6f9157ed1491dfaa47db22dbf2a9f2 |
| SHA256 | 4fd0adf8d884a72650c64ae220e198263ff34c02c6fd2f994d9f42ac37e25e23 |
| SHA512 | c5b9321c5426eb840c6c81c701140b843915ea1aeec1a791696448175759263afcff462aab53a3b78c3b8ffd1fbdbb45e8576e45cca8039d293baf90b10f1f38 |
C:\Windows\System\spoolsv.exe
| MD5 | bfbd899ca422c2e104e35b6592e15137 |
| SHA1 | a0ea479e445dea545904af891412cfb9191768d3 |
| SHA256 | ee1132f306194ec80daae7e0589a1327655cb9892b6a8b19c252102c302e2278 |
| SHA512 | fb0105fa81bf56e2e20dcb671a3c7f3e646a62bcb1cb405429d5787cb1e06006ab724e688db8d4e17a6c833778508d779f0efcd668aafc674fe42b82ad6d3f95 |
C:\Windows\System\spoolsv.exe
| MD5 | 963fa144af870f58d5bb1cdcfccaa7a0 |
| SHA1 | c0a8a681413e968705ef96e8b4a384686ffd3daa |
| SHA256 | 80adf7292e2730a48c8739d462b914d44e2f03329afc4a5a8aef9ad12ad3592b |
| SHA512 | 7f9ddb5d8324884782cedba6e351d3728277d9f8e29c5e087de39a360aacfe463738dd0fea23fdaf28eac27874e35a14a20a0f18c47344d3c899a803b7e601c2 |
C:\Windows\System\spoolsv.exe
| MD5 | d0bc136773c4deebd5fa8978f37eba5a |
| SHA1 | ef97d8716a52a256520e80b4a3fe428d9e83bc45 |
| SHA256 | b2bba5768e79d26166c4dea2f2868d8b7be62d9c75255e7eab85132d081e3015 |
| SHA512 | 73bd08ef67e40879fac7b29a453e2ffdcb767458c6e18d8007e7598c41645a7bbf2746db6351286bdead911b822a20deffc602821364e7ba7aa35eb1bccbfd4b |
C:\Windows\System\spoolsv.exe
| MD5 | 13894957d3d58ec9c432a97aad2e59b0 |
| SHA1 | 25cb7902b46d799061efd6d10be686104a12ea44 |
| SHA256 | 890dee31ce67d29065d21931d91298f87f1722ec972f16c7498b6f80bdc8a190 |
| SHA512 | 16cbde93beb2fbb13205e193b9feb247589da5a590e001bd397a6a25ca93d3cf823003273c38d4f480fd6bf55a5aeca26d36fdfc4f128c6d80d46d9c3b089d79 |
C:\Windows\System\spoolsv.exe
| MD5 | 2f171b416eaa25c1179b92d2e697c340 |
| SHA1 | cdbace4f1c20343ac36236d112fc880c230a8b7b |
| SHA256 | 7c0a3d75f20c01383b93c467572f3f27a76ed757f74ac505ebf1ad2928442fd0 |
| SHA512 | 787a40d99f1b3aabe3f2b82220d537a820f61d7d89c62e5bfa0942956d2410b058156330339c52d1b8d6559835abae934591833fa35375f1d9e427cb2e77ddaf |
C:\Windows\System\spoolsv.exe
| MD5 | 8911703cc9415a47d9a2bdaaf9ebeb95 |
| SHA1 | 83a39d04bec84431ddb30a5452c6bc2316f98e09 |
| SHA256 | 5a820105bd532f4480e877b3f802068ed34af7e4109073efbbcdab34a12ffed0 |
| SHA512 | 12d5a52a7cc142a977edfe9eea023e94197d4435980e12d8fc0b1037d33661920c0dbb7b3d2409b0602a44de167ea1869056a5fd4da1a584a5e12d0c8c8d0de9 |
memory/2328-120-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 0998923c5f39681efcca33e8df7657e1 |
| SHA1 | 8357bb0bd9bb0c31807b1953584585b1d407f983 |
| SHA256 | 8f52d827e020987d2b91927b75760fbfe0bce942ef23809219b28437238016ec |
| SHA512 | 18ab7d9571afef8ff70c45876dc75b1d785a80d64b1c29ca21d2ad9c743c818f579508ed16aa7e251649d0093aaaac9ab784b573ace30a714d7f95761f5ee08b |
C:\Windows\System\spoolsv.exe
| MD5 | dea260ca53e0798b5bf759b2e7c448b6 |
| SHA1 | c06f00c2b648d9d46aadffe55a41274271864940 |
| SHA256 | f6785cbfb2cceec78422ad9503097b25757a93a0732bc9a1153618377f9143b3 |
| SHA512 | c2baec387d16e4248cb178a0ab07de9605651160fe0ebf8197c6cc7bc44fdb6fc6fd360aee7e593a37daee3cbce76fc0e802d90c05faa4ad30a1c19a73b0974e |
C:\Windows\System\spoolsv.exe
| MD5 | 1ae8c117695a82f792a56e82f7c630bb |
| SHA1 | c0e20c6f7485014ffbbb0faeee1e651d391db44e |
| SHA256 | 0f0efca407bd48eef3695cda1b19482ca94f0980ba4683c0928e73fc02f48d4c |
| SHA512 | d2d1689b90bffac050a7621ec93c33de341c9ea769bafa063f1344d710f5a55d7d129309d3116a6ebc67888e2140d9e6426e1c303559d3ded34c8394d3e02a4c |
C:\Windows\System\spoolsv.exe
| MD5 | a00c64e59eb01221129232bbd876c61e |
| SHA1 | b8d7c17446db4ac31b0c3535eddcd9e95fb0f11e |
| SHA256 | 7388655ecf9e6bbdbabcb97afbb0dd1826b7422ba54300bfc823bce5ff52bcc6 |
| SHA512 | 6c0d9c9663350efe2c6528840e160012a975d4699a59abfd09823ea4e8da9e2898ca3e4976d90852fb56b5d0475cf96e74fdd29c6c9aae6ab2994da6895d49f0 |
C:\Windows\System\spoolsv.exe
| MD5 | e8c0cb73b4dcb8a7a6fc10f95b4155d1 |
| SHA1 | ffd8ac832d54577d2bb11514d5b526ac101e12dd |
| SHA256 | e4292007fa269ebe7bb5bd56ce85c4e7f264b3402dc1f16134d275fdb2f496de |
| SHA512 | 373c111ec9a908ccf80f055550658c2a636774e41a4e4b8c6f1bca18cfc795221895eeb6016375e58ee42f28c845aa2fb388bb639180cedeb7995b6f4b2f0290 |
C:\Windows\System\spoolsv.exe
| MD5 | 01e9e8c07792da7d1b6a317996f8c9e6 |
| SHA1 | 5b91035087567e757820b8fc777d9ee12bfb4c0c |
| SHA256 | 1110e56fd3861260faf1cba4b9211f521bbb37f7b11e5676650ec9fc83782a8d |
| SHA512 | c5d274845d27347a619c4ddac23b330a0878793add096e0c0ef76751acfcdd28756aefbeb5690c07691361594a934fe1b4e0468710634b59195b83a08a9cf853 |
C:\Windows\System\spoolsv.exe
| MD5 | b390d7e3e0e4cd44b63e7f96d557cdfc |
| SHA1 | 93dabdaf51cb439b93ed83f50215163196a14224 |
| SHA256 | 384a2babffa24aa46e949e823e5b7a567a541a0cccc64992ebe8467143bd33bb |
| SHA512 | 048dadb20ad055ed455816d18be70efaa8ae8bf764b713d7810284038b9bd5a6d04e096f2464b63ad8669e0946a5d3e2f96e641bf79fced129f1feafd0c9c0cb |
C:\Windows\System\spoolsv.exe
| MD5 | 9eb78ace9b519dc7c01631f1f1b8f674 |
| SHA1 | 6540225d88146bbcd670772586266f21488584c2 |
| SHA256 | b7cc681f0fca56e8cb8c0feac0e24f949449a2208d902f443e344311efaa6fa5 |
| SHA512 | e491c42d580ee2fd3c813255a8340666b757a6e3faa4224dde6ac1a889b7684a738e4d33cb8f6443c65fb11036dd4f738054c25cfa4cf7ce7124732173269738 |
C:\Windows\System\spoolsv.exe
| MD5 | 8247542fc4d29bd6ccd82b333100e913 |
| SHA1 | 5b6c121113c4daf54a8f620eb3b492b274c50848 |
| SHA256 | 691c8f77b88b5e8ad39e91d98ff904cdbccb6bd4551e2b68389f5063c23cc2d5 |
| SHA512 | eacd1e27f18a7d42bc0fc02a8396eccc262c8768cd1775ec162e02b0a1bfdafa0cb40ce620dfb2140855fdc5e6a1c0cf47b67c474ab5fe82e13c1a4cb6222f31 |
C:\Windows\System\spoolsv.exe
| MD5 | aa9beab87721dd428c7bd0cde34457c2 |
| SHA1 | 4e4d3e93da5cd090403d3b43924f1163f81696ed |
| SHA256 | 259acebff1fc06ef3cd2a55eaf477d815eba96bbdccce4652918b2e9313f0afc |
| SHA512 | 8b891d81c239caf1bf38a76c58883c33e0f607281e45a3026b4a1fe874fa35cc40efea7fda271eaf65c08e1ecb72428fa0efd46886b8617a0302f66426f20d16 |
C:\Windows\System\spoolsv.exe
| MD5 | 5113dff6ed068e1f925e706a4d7a48f5 |
| SHA1 | 1ebf870a4e3e888e674ac3fb6e1b42b64ff54ed8 |
| SHA256 | d131f1002fe8b12f77ee167ee7b002e6d6f452f73a4cb33e1f7f35c9b7e195c0 |
| SHA512 | 14989f12c4a9471cfceefe26022db97583c63fb115953c9e0beddb0be58480fbca47be99cc8d77725c59df4e89d03cd5b2528116bafb887927175071d6cfd1d5 |
C:\Windows\System\spoolsv.exe
| MD5 | 239cbf5e89ba217dbf6e8b19c742017a |
| SHA1 | 2318236e4d97798f793906916d94f6d1dda42f33 |
| SHA256 | 8846efadce16f7b01e95fc46fac1f119d61c5eb36cbc43038eabd2210ec95513 |
| SHA512 | b1554c011146e66b6535879a7fee33a501acfc4edb3a5440ae426ed358439cfe704db9e907b39da0d99b13a062c5a0c6c9adfed859484bc8514b94d19c822cc0 |
memory/3056-134-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 445ae6d0ce388d1bec1b06c0b97a73bd |
| SHA1 | bf7ad0ae4397e7fca8d44e579fdfe1475857ca12 |
| SHA256 | 67de183b6b1bc15a8841995c1308d8df6d5c412d414921088c3b8578d50751c5 |
| SHA512 | 46cce0b3c5abf1e8e8a80130058edfd09bace663fff108ece84a3f039d31ba26ca1f2ff488dfa01223f6327035a44de2cc6f436098b0e49f327c63c3990ee575 |
C:\Windows\System\spoolsv.exe
| MD5 | f583d977f9921aa503433ebc66d95855 |
| SHA1 | 01f7dac7195cec709b09aa9cb330e6de265fc9ee |
| SHA256 | 94f915b6af4d3833604d7c5b0f4495c4145702fd0f60839395911d70459a6323 |
| SHA512 | c8bf6d65854cdb82044935e99174248b4a5d6628ee4c333122225cc03d418f982317aa98db692ae5c7af8e9a2df136481f598a398bdc5dea27e32f4176584ced |
C:\Windows\System\spoolsv.exe
| MD5 | e4f5a5c8aaa53471fc708e05a0fcb6d7 |
| SHA1 | ad293d3e25ba5dd85569bcbfd7f3fe89c32b322e |
| SHA256 | 58071d5a89542c5421bacf627305d7a1065acc04dce3f2e5f8d37a07a621a737 |
| SHA512 | 00bcf32b113eda6b375148864a1c11bfad0df2a53eec8e75f1bdab9bda5cc26c2824fdfee32a3c9955cc26162fa8e79f49d93abdaa0fd36da3bde1513a1005b2 |
C:\Windows\System\spoolsv.exe
| MD5 | d2a1f22ac6680b1f0c7967d6c7e07de8 |
| SHA1 | 3561207908f783bf24177fed759ce30be5f26e88 |
| SHA256 | 37c2fd88bd5dfa408ed05b219ae52a705cea46593180f8d15f73588970b6bdc0 |
| SHA512 | 0177f8bba56ca0bdb9387e2365f3b2f1c8b1749f11eb6a5227cbd18c397e1f55efb961afebaca22e4f0ddc68e11f2d4565a5374884a74c50a608fd5f4042086a |
C:\Windows\System\spoolsv.exe
| MD5 | abc0c86b4e134e19ee621a41e512d439 |
| SHA1 | 49746199cc58a32851b1f2a50966066db0bd99db |
| SHA256 | cfdb999d9d4a38f9318d7e66afc870d0aa55ae932c480df8f7c3154f7735ad5b |
| SHA512 | a445316cd615dc25a1daebeba42e5c045cda7a1d248b6a880aa5a433f179ff90492eb8388465d22bf256a91aa51c43485c331e55b95b628e0fed3e8834b586b9 |
C:\Windows\System\spoolsv.exe
| MD5 | e1b9d2bb172f91e2f30ef485331b0f5c |
| SHA1 | e77c245cb119ab3b905bff7260a838a30a382316 |
| SHA256 | e8d30a445e9ab7154c11ee8bc6b31dab7185260217771af30f28b70277d0d30d |
| SHA512 | 5e88941c4e4957cbe12595316a0412116968c4c17f6b1526f39c21d68de5b5f9fcef8137e40abe9549faa4cf79e329c4b0247de0dc0b43279b64441c73d8ecc5 |
memory/4732-140-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3812-141-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2592-142-0x0000000000400000-0x0000000000514000-memory.dmp
memory/5060-143-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2756-144-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3720-147-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2952-148-0x0000000000400000-0x0000000000514000-memory.dmp
memory/484-149-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1888-150-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4584-151-0x0000000000400000-0x0000000000514000-memory.dmp
memory/5032-152-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1976-153-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2604-156-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1500-157-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3148-158-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1852-159-0x0000000000400000-0x0000000000514000-memory.dmp
memory/980-160-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3608-161-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3696-163-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3540-165-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1588-172-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2648-174-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2884-180-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2884-181-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2884-182-0x00000000023B0000-0x00000000023B1000-memory.dmp
memory/2648-184-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1360-185-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2884-186-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1360-187-0x0000000000400000-0x000000000043E000-memory.dmp