Malware Analysis Report

2025-01-22 14:11

Sample ID 240228-pzfkxsbh4z
Target abe8da89431cde6f75727b6fe29907f8
SHA256 aa6390d1a73f29d8fc4b8c9a5a4f71cbc43e64b4a4d59658ad27de8f29810bfe
Tags
warzonerat aspackv2 evasion infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa6390d1a73f29d8fc4b8c9a5a4f71cbc43e64b4a4d59658ad27de8f29810bfe

Threat Level: Known bad

The file abe8da89431cde6f75727b6fe29907f8 was found to be: Known bad.

Malicious Activity Summary

warzonerat aspackv2 evasion infostealer persistence rat

Modifies visiblity of hidden/system files in Explorer

Warzonerat family

Modifies WinLogon for persistence

WarzoneRat, AveMaria

Warzone RAT payload

Warzone RAT payload

Modifies Installed Components in the registry

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 12:45

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 12:45

Reported

2024-02-28 12:48

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" \??\c:\windows\system\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 4932 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 4932 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 4932 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 4932 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 4932 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 4932 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 4932 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 4932 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 4932 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 4932 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 5004 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe \??\c:\windows\system\explorer.exe
PID 5004 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe \??\c:\windows\system\explorer.exe
PID 5004 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe \??\c:\windows\system\explorer.exe
PID 4052 wrote to memory of 4792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4052 wrote to memory of 4792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4052 wrote to memory of 4792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4052 wrote to memory of 4792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4052 wrote to memory of 4792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4052 wrote to memory of 4792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4052 wrote to memory of 4792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4052 wrote to memory of 4792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4052 wrote to memory of 4644 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4052 wrote to memory of 4644 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4052 wrote to memory of 4644 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4052 wrote to memory of 4644 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4052 wrote to memory of 4644 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4792 wrote to memory of 2272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 2272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 2272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4856 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4856 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4856 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3316 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3316 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3316 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 1104 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 1104 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 1104 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 4620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3736 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3736 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 3736 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4792 wrote to memory of 528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe

"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"

C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe

"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4756 -ip 4756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 976 -ip 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3316 -ip 3316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4724 -ip 4724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1104 -ip 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 396 -ip 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3056 -ip 3056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 196

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3736 -ip 3736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 528 -ip 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3176 -ip 3176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3024 -ip 3024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1424 -ip 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3772 -ip 3772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3324 -ip 3324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3792 -ip 3792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 332 -ip 332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3884 -ip 3884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4684 -ip 4684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3396 -ip 3396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2864 -ip 2864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1100 -ip 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4276 -ip 4276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4924 -ip 4924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 892 -ip 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4972 -ip 4972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3940 -ip 3940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3764 -ip 3764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 316 -ip 316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4604 -ip 4604

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 192

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/4932-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4932-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4932-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4932-3-0x0000000000730000-0x0000000000731000-memory.dmp

memory/4932-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4932-6-0x0000000000730000-0x0000000000731000-memory.dmp

memory/5004-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5004-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4932-15-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\explorer.exe

MD5 0de93540c971ceec84651b9f612294fd
SHA1 b7eb18850f069ebc6fc2ee452ceae5c413a4451f
SHA256 d00d8421128e32ae83b550847a4738ac8e15014f9dbe9b38ed5bf0b98673c637
SHA512 ab420b217cb776b9cca739c349beb841b0da45bad66169ce1e16146e0be3d3d9c65d0ded213443aee771b55225860d3042918d4b183d17ec49d01bf4473e7a92

\??\c:\windows\system\explorer.exe

MD5 f5a7d0a17fdd08faaaeccdfa7b82387e
SHA1 4fa5807b9bbe6775d76d28c0052ecaf18708a5b5
SHA256 33a100f479b0f2ba51fc0e1d194d24f3df1ac8b81fe9f066be745e0f236a3296
SHA512 5f7916ee74b94109511916bd32a91a7050a8d52f5cc7cfca8b8cac3d4e6f183e3f4e558294b613a947d8f11115a6f852b55f495f7ef0c216b86ada4f77c0984c

C:\Windows\System\explorer.exe

MD5 0dbfdc7ed68be197cab7cfe466e84876
SHA1 0727399b94f4ddbac0c43f644be10ca1486cf035
SHA256 46e20a2c686ed01212e305fdac589affff44aad8b1a06cafdf0681e0b2478d45
SHA512 31ae22e0822711857bc41bfe7e57d83fc4b88b28746de35fb269c021615e8e1badb5583b3850f50c6ae260e962f678b5c3700ebc76c2a1f6fd2a50d22685eb9a

memory/4052-24-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4052-25-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4052-26-0x0000000002300000-0x0000000002301000-memory.dmp

memory/5004-27-0x0000000000440000-0x0000000000509000-memory.dmp

memory/5004-28-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4052-29-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4052-31-0x0000000002300000-0x0000000002301000-memory.dmp

C:\Windows\System\explorer.exe

MD5 040abe3654d96d6df3d6a92faf26b765
SHA1 8ac1e1e4f41d89004b5850152a8364b96249da55
SHA256 75cc9a9f37cc8402e17c8e51e60b693a45476359ed47574d8894f29e201cb7a2
SHA512 91620cf77bb13f5d03048e7133b9bb6a9b113e788f314e069248e50640455f75b57e8fc52efb23e1c560ee80e7ebc55063e9b9984c279d7a9d55320c3721cc01

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 65130a730e03e9bed6e8446efa69a45b
SHA1 af4cce941e1cbf3f12494f68442de9bafa43f082
SHA256 a2d05dbe7cd195b7f5ee8f3f557055c75e1bb20c9c9d9aa8fbb38e63b2efb95e
SHA512 4e6debfedf8d0288331979c9507332fa00c4650affc34b627e9cb8f3b7ab438a086aa43c8a94a2bc2dc3ddb6fd62589d2236cb7b6abe103fd9a71e1d223bf422

memory/4644-41-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 27f7629258989fd10ccbf8162011a769
SHA1 60e2eb7878d98720e11b12627565986083ba16ca
SHA256 082803052c9ea87697bf7c078a6919ad62c44cb71ade169ca5da2902f66b72ec
SHA512 8875c76aa1d24c11c7ddd90fb3685ed8ed5925614a8b8550999c2fa1a74aaa5fab127fa0b09d4fb7cc68b3732f705c3bf10ab5979184d45831731f2904f09fae

memory/4792-42-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4052-45-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4644-46-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4644-48-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 085db8662bf3f8e0d2639ce5a685dd29
SHA1 aca6d8760c631930cbb2f2aa06fce045ae5c5f8a
SHA256 665a4046fdd25e9c3a0dba98e74b711bc8bcfaf5d808ebdcce6b659c70e6a88c
SHA512 97f4fa735fe98cb0592f09d36d343c90e574fbfea32fad02f9cf850b43b84dde8f4b702eea98538f86df50a14c32063cb0b74053f4e58f3d9aaf0e0725d6595a

memory/2272-56-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2272-57-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2272-58-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2272-59-0x00000000008A0000-0x00000000008A1000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 8ede9771a346d642c9c6f386c879113f
SHA1 ab8dc480f97cd9310f80313f7f4d092951ded73e
SHA256 66e7cfe63e8c69dc36a0f58c59359a3fd62b4dc474cee997a86c5ee94d7b0e98
SHA512 19477a4ba5adaa1c4c32c206b8ff2ad4450a3b08465a0cba14d7521173ebdb6ace9a31c62475022c1bab124525ba31c259650427bcaaae6c0bc6947f6bd01110

memory/4856-63-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4856-64-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 75de465cb8e1e8b3aeb6b5d606b9dd2d
SHA1 34774a56df9285676a47633eb3678be29eee8909
SHA256 fa115b4cd55beaacd232a74f6ff6e4692a0deed7d69e6a6e3bccb9b80ebb8e75
SHA512 d9c208a8df665daa2e204fc1e2365cd312fdb20856fb3bf925a71e6bb41ba2c6bc790c03ef7373936561a6419d85595062d55b9dbeae331e5c7957c08ee266cf

memory/4756-66-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3732-68-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4792-73-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2272-76-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2272-78-0x00000000008A0000-0x00000000008A1000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 748a5cf4f219e7183aa61dd2bfbd144c
SHA1 a4ba24ee2594d5e6c51bde6cb8a8eb495b1c4cf4
SHA256 d85b937e23483c526987726f3e5c4ef70dcb92b2b1f868013899decc5e92fa03
SHA512 2acdea2625d22203b749a85ab7532d0c9a81a67cd6191aabef516d6ea2d73f12c0a11a2765e037e286be0b5cf36754fe5f506f8a5ec6020b7cf1f41f3c67c89c

C:\Windows\System\spoolsv.exe

MD5 532be26935ed4d0337f5299a2a903892
SHA1 5306debfd7fa0ffc7c7da7b8f3ab6cc5084b1c61
SHA256 2fb8e981a2fdcd97b1e96337ccc2928f6686df10da588897f377d678156c3944
SHA512 daba83f5d7c13fe9a0e6403c5eeff6b326db21803e51a103f95caeaaa4a8b6f09f88b59f927122adad22bd565c35ea3ea70044c9639eb02c606d9f6249550db4

C:\Windows\System\spoolsv.exe

MD5 41f60f0600ad9f7b9c1dc6ff1f52455a
SHA1 9a6eb596e9ee675ccb15540336ba31c509ab3b00
SHA256 5c37adfa9278d8738354222f958a1a02301a76e81bbf1406df7a5816c6044b37
SHA512 8205be8e908c365e24febca6faddb7dc479c43972b2ebe4863f4002b693996c47fa227509b0ca1c1a3d248a4a246260d664b1a2d3b9ed555377e9d8feb36e75d

C:\Windows\System\spoolsv.exe

MD5 f67892779ab109f1495268cf4afffae9
SHA1 a655ea8cda7c7932f2e52fa0aec1366e02d71ba8
SHA256 fcce94f2f09fe4dc11c9ee19fe18c7d593b0dca3e2fae95235ce8623398cc836
SHA512 079e82782ce0ab73ef14446e58d43d8d521a3d433d70dc351a95587bb2e7b3408e981642d70bd66058f8e926b7eb5000132e33fc7a0027e634cf7732c3b082d7

C:\Windows\System\spoolsv.exe

MD5 8915e8db1a9b220e878e2923748e5b2d
SHA1 6d66dead36e744d08d8617223c73695890a65280
SHA256 46b3324e3d02045b0d1a5729d3fb08feda4e198197b4f8213d3d88d84a65bcf3
SHA512 bb3c3055b4cb6033159f185f9cc4d151e3a5cb9a307edd8214ca77b69c1e844020e70ff54ea338fa5982dd3b99911c1fd48a784835a498f2a590f84f58acf80b

C:\Windows\System\spoolsv.exe

MD5 4322e599836a2dbde4c14f275e54557b
SHA1 64f3defbf892af2b8eb579ec43ebf94ccac00b51
SHA256 59b1c63953338be1f9866941aace0ba4c01d34db1269be7fb22d4f4589755e3e
SHA512 369a7d90f7bef59cab64681469fecd8a8dd70821ce339ebb9521ab7e2e228ce0e74cebab968c8618c50de9843d1148dc46f632708f1740faa7784ed3d6dbb1ba

C:\Windows\System\spoolsv.exe

MD5 557688e4c114df9d248751b452f30413
SHA1 91e14aa6ccf80d886740a7f54d9d02e034d11837
SHA256 c066d79254b8c9f82daa9956fb1ec190e90eec49f7748c13a7c1b2a0e1dac8c7
SHA512 fb74ad93b4382ed713972fb81c89e85a4be7d5368613936bd4235e3bb0a0895994401cd8b3ca3ebcc222178ffec78a737ec42d0f68202de55ebaa03f562391f2

memory/892-109-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 647904c20bf212dce7a295fe41ef697c
SHA1 ac6c31f020eceacd0e5f5dc52f2694cf76b82ebf
SHA256 679cd1a3b148a4252a691ed0a80eb42a1b9e0d921886261570423fb52fd76254
SHA512 d539821b2559ce2a4f1bdb3e292dc2855b9a0a563ebe18b4941fc5fa4e9e4d605a9976a3718bcd54ef02b6ab0df3fdd92bd43914b669e64e3871fc52cf57d44e

C:\Windows\System\spoolsv.exe

MD5 944738be0093ecc2bdaec9f6de1199a9
SHA1 59c425e331daabf4e9e2ad7410b1651a9f059340
SHA256 f704e17f1045461a873fc2eebc8ad03f91d9ae6fe7df1a8f52ebb735ad5af72a
SHA512 b01ff11a5b92504100e34b65c549568eb26382ddaaf362f1f13b6f25cb2b968040d4c33f3580ea56ccd057d9e15c91506dcd4df30b1e7fcb2f7c604a71fe61ff

C:\Windows\System\spoolsv.exe

MD5 eb52cae2ac76eaff666a7c22dcc57d45
SHA1 e8bc4d202805624b32ab9e9254717796fb096bea
SHA256 24f198f67d4d0431e257955e53221a823a1e3c7868b346639dee015fe8c6bd9f
SHA512 e2358421733b86e154c1238ef15ab299c9c3b55bc411d374400d6b1564989f2c110d638c6b408f78b8bece18de39ffdb939a13a8f79e4104c3cc9ed2bb63f980

C:\Windows\System\spoolsv.exe

MD5 f925f082f763a7f9f4ad2c4d0b51c7b2
SHA1 e80cb74c6d587c9e6659b3b640bcaa86b3a8a63e
SHA256 4fab8755cf613d3bd9b3120434f9edbf90f5057136cfb474aa051c1adf70ee7d
SHA512 813f4fc8bc6ae8df89073e83f26f02a8f1ee200a05b222cf2db2010025192de928fa984719a2b7581777af06c0947eadf6a0e4bd02467f4ae76db34b1d614180

memory/2272-133-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1816-134-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 325488de3b99c286b886ec20d2edf1d4
SHA1 92ee13a324c674f1e4e85e842cdef338f8f43207
SHA256 2ed6de9f8a62a3d5c57c5644dba5328f9620a7d109a8236345e0d81b144e273d
SHA512 d6e7f7e5629424deb9e6ffada6273cb80465ec5d40de544fbc6170229563fdf3e4694ecf158fad80c4b179fb890205465d533cff6984f4e416a3bad4444dae10

C:\Windows\System\svchost.exe

MD5 aff44c7d0dad962c4ad7fbf7cddaa967
SHA1 e2d017d7b764eb6b051bb34439d18f7576559883
SHA256 03c3933352e796c129cfe3663f27859539f04213ea981cb898f01c01b462f102
SHA512 0e8fe1709b67f0a3c9991273b390c96b8600ae83e8178904610654ed7507eae1172c66cb6dca59172a1d072544568ef9ab28aea069a64ba53f406f1f441dfaec

memory/1552-141-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1552-142-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1552-143-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/1824-145-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4792-146-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1552-147-0x0000000000400000-0x0000000000514000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 12:45

Reported

2024-02-28 12:48

Platform

win7-20240221-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 2232 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 2232 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 2232 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 2232 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 2232 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 2232 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 2232 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 2232 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
PID 2232 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2232 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2232 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2232 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2232 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2232 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 3028 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe \??\c:\windows\system\explorer.exe
PID 3028 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe \??\c:\windows\system\explorer.exe
PID 3028 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe \??\c:\windows\system\explorer.exe
PID 3028 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 1972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 1972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 1972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 1972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 1972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 1972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 1972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 1972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 1972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1248 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 1248 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 1248 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 1248 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 1248 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 1248 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 1972 wrote to memory of 1572 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 1572 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 1572 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 1572 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 3024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 3024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 3024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 3024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3024 wrote to memory of 2788 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 3024 wrote to memory of 2788 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 3024 wrote to memory of 2788 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 3024 wrote to memory of 2788 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 2064 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 2064 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 2064 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 2064 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2064 wrote to memory of 2700 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2064 wrote to memory of 2700 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2064 wrote to memory of 2700 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2064 wrote to memory of 2700 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 1484 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 1484 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 1484 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 1484 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1484 wrote to memory of 1732 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1484 wrote to memory of 1732 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1484 wrote to memory of 1732 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1484 wrote to memory of 1732 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe

"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"

C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe

"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

Network

N/A

Files

memory/2232-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2232-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2232-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2232-3-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2232-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2232-6-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3028-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2232-11-0x0000000002F10000-0x0000000003024000-memory.dmp

memory/3028-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3028-14-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3028-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3028-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2392-27-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3028-28-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2392-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2392-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2392-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2232-37-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\system\explorer.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2392-38-0x0000000000400000-0x0000000000412000-memory.dmp

\Windows\system\explorer.exe

MD5 d5aa0a5a08596d69eb33910ddcf9d10c
SHA1 6bd7a389d8f9457928ba27b4d60011b14158afa8
SHA256 f1be0ca70cd1edcc5ff988bf09d0da94a52c8a81b8a1c28a92cc5babd0a5d0f5
SHA512 90bb651b9a112f68950b800644982516a5f6260cf545e8b951178d42a461317d9d888ed0cfe50ef58c39075db1b6312e894d9329da88aba7f2c5228e63616007

C:\Windows\system\explorer.exe

MD5 5e4e035a0ea5ddb4d97980d1ad8244cd
SHA1 a293a602a3e9d4e9bb98147eb22214ccffe26f43
SHA256 d6ec56e9654938f800b34ebf9e878bb984174adb0bd3d2338d8e9c8453ab2e72
SHA512 501bea698a713ac7f18166c3fd06f733672bcf231d96b6483c65aa0f7c253e3d419cd51eee24b2fb3a3de50a81a2ffd8ff91accae33d1bdfeed0a69a8508d7f0

memory/1248-48-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1248-49-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\explorer.exe

MD5 2ff3137d295c33fb00e156c599d7b087
SHA1 71eebc389c78d3f3e56bb2a206c584627c0efc8c
SHA256 c283a3e474e6f2e94e88996166e7ffb050cafe19aafa02a1846eddc9f10dbf73
SHA512 e006e5d42d8efd268ae5e8ba29ed90189049bb25047e2e2573458c100c43c2788d8ad739b049a829472ce982785c3a4e25a8e042617c591d94852c7cc4dff950

memory/1248-50-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1248-51-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/3028-53-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1248-54-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1248-56-0x00000000001B0000-0x00000000001B1000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 7105cd75e9c68b9ecdc6a3b9cc23f78d
SHA1 b7a92738ac425fd59fecebaa24c2095d38674867
SHA256 b5f5b0832c163e26991d52cbc747aa5e300753ce801513b8f416ef94e09549df
SHA512 cdb2075a716edae1e68198e2e40f98af48cb2c39b0cb2c16248ae95c89cffed6de3fe17f3cbd2e97c6209d27ce09265cefb2a43f7f0826758d4dfa64353c7286

C:\Windows\system\explorer.exe

MD5 684590f64d2e60d78e0ed32b1c14d0a5
SHA1 ca52e2d56f9c982b3351f35310019e011c49ee9b
SHA256 2990e00ea3b7e3f9c5d5bd7c16d9cc8c4f70dc33e457891bab8e5b4e54b30676
SHA512 2f0ac208312dec0eb031cbb122467ad1b9a620d6ff4767e262b1f8f270c153d04bf47c5dd5e855efeff30aa463d28ec2e23339bcd198909974f949d534ada72a

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 ca089ae542369601d4c906ee72616340
SHA1 b4789fb0b98f67efbac0f2901102935b04b5978a
SHA256 d90550a2d5155eb7082a09206beb61e5ba8e40498cf4638ae9271bfa5597b6f1
SHA512 54e0905562ecdec8cc99c9dd25922eef368d3b71ad847b05dde4de44cf9e84a2df4253a1b561850fc39b3d6b078ac90607c6df944e88458874070e384fb37fc9

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 de67740516e4b4186b76948d1e75ebe6
SHA1 66828da4c17b886dd5353e7001a59219e6dda142
SHA256 34c5965f537380d4e6363750ff1d37147baf23aeab8ff5de67a42a4cdc0a79ae
SHA512 b423714a4224b2dbc9e1cf9bc96357c98a9e6d57d193b034a1483715b1e66900528b4a4169b940e35eaccde9ea446ab7b9ca583ace912a49834b3cf83c4e391a

memory/1248-88-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2196-89-0x0000000000400000-0x0000000000412000-memory.dmp

\Windows\system\spoolsv.exe

MD5 d10c4f6a1823a6362461f275bd7e0837
SHA1 b1ded9c0e6502c3722c91876e771e95d727d450c
SHA256 bc63a271f0ab501945e93e98b279293294ddf655abfe2c2518485108ac47c48b
SHA512 1d7363879b45d2a13b56a768959d0ca3cae572856a4a5bb44b326617d471abd223ad8ecfc20088bde6590567f3e31f1c8075fc1071abccd6bd90b300d828393a

\Windows\system\spoolsv.exe

MD5 35af054e0398aeced03a69f243c44cc9
SHA1 13a1e431eeab154448bdf479175d1a349da73a14
SHA256 d4d0f51da08b6ae75fab478ef650c3bf88b0bf11db49fb573dfac3ca432d225b
SHA512 fa0046546bbf047fcfbea90ec2e0cacf26124eee08739720d1db58bdb010c17c0b5dacdbf12daa5835da4277fedf5507bab42b8fef8ec46a44369e49b9a5dd25

memory/1972-102-0x0000000002E00000-0x0000000002F14000-memory.dmp

memory/1572-101-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1572-100-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1572-99-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 e7645b908e5a414c7361e2fb0d48ad8d
SHA1 c7b03c5da4223ad8a3bf6912bb2733bcf3937ed3
SHA256 ffcd66991ccfbc224000f66600ec3e32269ad63c321790db865738509f17579d
SHA512 05eaaf4c96e914d96398b9f574fc0b81ed174ca9bbd542789c457168e638e78b8b6837523c369fa555e2ebefb67f24e38adaff1091e56633bb68381db1246a27

memory/1572-103-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 43636ec9a5b02942df4ff04429b73a06
SHA1 1acf4771a710a9f5a1509ad6a99d14aa4ceda2ed
SHA256 bd2d97e4ba6cd6ac9a672337799a61a485fe94445be3b2556533c3381753703a
SHA512 fea9f4e14b87b95a1d7fc3e0f8f2cac3e4c0ad76cf3eb5c8ce2d4a1f850d99387cabc748dc24f3701a720570d499126aa83b9f5d4b5fba868f85880f5392b5d2

C:\Windows\system\spoolsv.exe

MD5 2bb21ad8fd83e3765d130478eab989ed
SHA1 aadaf583fee22a1ddbe1da1310d03cb8f40a7d3b
SHA256 6286bf1582f42de9a3d2a465572336d30f06a17b74d62aad96b33f53383f3360
SHA512 5a84736d6f50ecb823219230c084ffd04503b63bf4cd94ad1b1bc87c99372052dfc3fcfc3d3fc7e2c5c201afab267d63344b65aece84fac4e9c54a20584b6806

\Windows\system\spoolsv.exe

MD5 389552c70a7ccef91b898ec4b4823c38
SHA1 0a6f441afd4b9a30ae2210524234a231690132ea
SHA256 91ef040a2a2a57d5f57097402ac69046b61d0b0defb23b417c4c51de0554534e
SHA512 991d783c2645d118c5a0c0e24d82101fc30c5124982a41b1c88d42db4feefd6c5b4c5d6b8ed13cf800b52619cb56c4d86d291115c4386bbe17ef334cab33ca7c

memory/3024-114-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 09de68e1fc21c3fe26ad11208fd37ed9
SHA1 cd25f0f54a4d02daa6fde902f46ec377711d9133
SHA256 8c3076b042958ad3be9a87f678f21e03379fe58ae6179fca6d3a851e56297a88
SHA512 38f007aba37ba83c996702a3d87144de55c2832d3b0ab74ae1b5cd5e00a0eb05fb7fd45d84ec2fb61550db5de733b64e5e42927e86d8e7920f82fe6ef15c52fc

\Windows\system\spoolsv.exe

MD5 992f556ab30504867cb7d4c33ac4e647
SHA1 d34a6fdedbd68677115a9a37e869a595401c70a8
SHA256 44f7491789ce74f63bd720a6af631193fe36d16e0a66ae9ec6589e0cb477b4cc
SHA512 ddbc739034139ae9c02362253d60631bcb255ce1e2ad2da9dfb05c89e646e616e8c490b196ed7fea238f66db33f19ad075412f7fcd540e8330a7cb848abac738

\Windows\system\spoolsv.exe

MD5 88ef994e451759f2f8f18414c0bf8bc4
SHA1 dea464d9ff9e923adf8cbeb36cad36fba28d7eec
SHA256 bcc8fcd10f2d6ae44fcd2d525758fe832701e3668b7c22651f61f39dd1f2341d
SHA512 e6adf8695528f24e06241435aee9876ad90009f40073cf0fe2d2f547467cb9929218d148f6777e54093bca802e0ea3132102f4df3d2ba89f2cdc0d5a351c092c

\Windows\system\spoolsv.exe

MD5 29fdf865c314612ef1b18eba56308302
SHA1 edd323e22885a0549a5f97e27d769914ad22188d
SHA256 ae4ede1d27e8295114d6d25537090c5b1500b8f4fa00e0ad323d9b082ec5367b
SHA512 6afe9540fde1b8c08e9383480894e52b6e8afb4112e3dcf2b9cbab6bab1577ced787d28917c8e3e3f8527af6650573e6efae2e6cb8e9969b07fcadd3572c8d1c

\Windows\system\spoolsv.exe

MD5 5640b7155e5aa2cc74b2f1979d2a3e0d
SHA1 b963950535a57e66886e17286c37d832338a9ba5
SHA256 951150a7d54e422b80cba1fb5a450225c3d9ce03772af0fd98d063fd98cb9097
SHA512 0593bc6398fd27495ae17aebb81bf920d32c9df71a93528a401b9a431a770a1208500bbef79161b5e31ae3f4f91adb084ee066fe9087355d70cd3232d1d2a44f

\Windows\system\spoolsv.exe

MD5 f95af403f446237e6881e71945bca678
SHA1 726aaaecdd198976a38d4f7ccfcc57027fbd05c1
SHA256 661b37dea35e51fb1a4e88cad65d178780e9383562c40cd03c4aab07fbe3078c
SHA512 7d765739a67684e14792aed1e5d364c6fe3e6819ae1a798b30af6eb6052f4cccab08bfdd486e9050cecd79a90cb08dc40190dbf53ba00b3687dd0c8b69bd19f8

memory/1972-122-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1572-123-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 040abe3654d96d6df3d6a92faf26b765
SHA1 8ac1e1e4f41d89004b5850152a8364b96249da55
SHA256 75cc9a9f37cc8402e17c8e51e60b693a45476359ed47574d8894f29e201cb7a2
SHA512 91620cf77bb13f5d03048e7133b9bb6a9b113e788f314e069248e50640455f75b57e8fc52efb23e1c560ee80e7ebc55063e9b9984c279d7a9d55320c3721cc01

memory/1972-133-0x0000000002E00000-0x0000000002F14000-memory.dmp

memory/1972-131-0x0000000002E00000-0x0000000002F14000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 28748d44815770c465357d5e08b41458
SHA1 60f48709126f3e469c0d857b36091e07913f2602
SHA256 8bde1dbf50c67b3f881e0dd20bbd966fca8e82a96bf2971f607efee3f3d3adf1
SHA512 956451e337a53e92b4ae67ea38b35fa3c36881b1c0499c98032f7562c10c4c2e52f6efebdbd71072c0a26efe620b7485a45e5864964098da7b56625daa74bebc

\Windows\system\spoolsv.exe

MD5 49351b5e38d33aa5ee52855482b912f1
SHA1 29b33a01caf58f47e24d77055e2669f968849a42
SHA256 c9a3f1da758d072490c014f794fc32b423e53d5db6e4f46cb6aecb82eb9eb9a2
SHA512 fb8465f4f2db7ce15f6f6999981bed5ecf50078bc042f9c1b230735251efefe67f75287a88f27349b30b4c273d0105e5fffb79145b0e0133230d5beebffecb53

\Windows\system\spoolsv.exe

MD5 325488de3b99c286b886ec20d2edf1d4
SHA1 92ee13a324c674f1e4e85e842cdef338f8f43207
SHA256 2ed6de9f8a62a3d5c57c5644dba5328f9620a7d109a8236345e0d81b144e273d
SHA512 d6e7f7e5629424deb9e6ffada6273cb80465ec5d40de544fbc6170229563fdf3e4694ecf158fad80c4b179fb890205465d533cff6984f4e416a3bad4444dae10

\Windows\system\spoolsv.exe

MD5 c688b326c322d63444db8e1d1ffd4f61
SHA1 a3643e2cfc51e905467db91c830c67777f10ae5b
SHA256 f5783619d56c1970ad717484fbf073c93ea881494977e110be8e50a28a915157
SHA512 00eee7983203d917bce8ecc374a1b792e4f78173c798da24b3e59a38d76edd77316ceba01d0301534150a9814df0ba396fe1805024a19f0c47a9a04f2ed83ffb

\Windows\system\spoolsv.exe

MD5 1c1f28fbb0ded41c81e89a3aebfcc280
SHA1 5277415c706c0ad816dfe652157b1df955b07ead
SHA256 7d25896e84610c60c4b3717c1088535f65f51ba564e21184315c7a42a8faeb86
SHA512 df8ed343aba3efd0059c011a127433c47f17af422e646c6201d6c89eb89caf8f0425157c52a449ca751db7ce7adf05ae12c39c7a28d6ffa02299400ab8b60db0

\Windows\system\spoolsv.exe

MD5 6536bef0a9854470b2ca44f6c69029e2
SHA1 9bce608a1b3e9c723d34890c42588e000f7f5c03
SHA256 93ae3a8c670087c054a351436a3b942607fb43ed42717c006a00ba48781b7604
SHA512 67e190dd200eab46257ce123929d524fd3e9fdb0f5aabf43024bcb0193a857bcd836cac507af766a9d3d2e3db88674ce6ee201d90d3feeb22b5aba66af1557cc

memory/1972-141-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\spoolsv.exe

MD5 ba153aad460d6c5d35061122dc440da0
SHA1 0d7738532678dfe46a55d1da4b4e6294c9496d18
SHA256 8cacc6b6f8e258df482802db943accef1c88f6a767175cfa01a976d3afccc8c6
SHA512 5318898301bba45dee3a2f6a191cf0d3d89b316bbab75b8c4ae6ced79b6dc43c066bf63cd0ffe4223dd4d92eb074d808e7c40383e64207d646a78c926eacab51

\Windows\system\spoolsv.exe

MD5 ac7d254c85f1979733453354f31ac469
SHA1 055646f88be2f9f6b9a429b38643abbec52a0b28
SHA256 43692776870a68e9eff84421059d7185a1c7ffdc839ec319217903e33ce6ddbf
SHA512 eb7e952c920ebb17bc68d554047d329dd802453b2c0aad78ccc8924c1248d740580f29f660ccb653fe2864199a45b65a60f001135aa08ae6455daf509fe07122

memory/1484-151-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 703561e35a268ac4641fe57d79d67db1
SHA1 d981fe6cbfc577b2613eec04ce5c45a96f401bc5
SHA256 949af92573442e2935ded3f277dc5581ca443025a7cbd32a987e348b0e25e803
SHA512 f779814ebbfcb3196832bf2eaf6ead4fbd61d83f6880de2380c8fb4de8406046c65254f479d211740a54fded1086bba8547990094a6ee9d33a2cf3d799e1b8cb

\Windows\system\spoolsv.exe

MD5 386bf9cf4343a52f1991ef8fa53882f2
SHA1 a0e8343a360b6b4af6c32d7f6d4f21c80a640e2c
SHA256 7249eeb7e95ce713db00829a23fcf70298f285847f51a1ab3c34b854935cb4b1
SHA512 369604ee2fa922ca768de2a2f90930f64063b21e281ff1286eba4500e1fa1f2c8a91307d07128ee7ccee470100fb4dfb3bce2210b52fcee1e91a130a8899b96c

\Windows\system\spoolsv.exe

MD5 1e63c03ab3dd62b85558db1aa9177098
SHA1 d8dd68fd81999d53de30d2ff887a6a68bbe93c8d
SHA256 a7577d27c2c8b8a6d67b3c25c70fe7619178a1d1d4771b0909e0c2955f5515bb
SHA512 af33bc1a52150c18768be1412e121d60449f11c31885322682f661479f0fa78551fa562183d1ad295ee5710483a5efabf1daca99a4dca117d0908abbc778d197

\Windows\system\spoolsv.exe

MD5 78fb6d8aab327aa3181ec4a7373beda7
SHA1 91289795e2b713300b384b0a1a6b9565f076209f
SHA256 ff5cdad69024eed02e26d5fdc22413698baacb06c9ab083a085ac3fb7a46a86e
SHA512 5af29311407b33aa2cf3192516e2fe0a445a54d8c6dd2d61ff252032a3ca86e551241a88d433cda7932c9f866c08530beb13d1eece2ebc9e64c343f7ce7761b3

C:\Windows\system\spoolsv.exe

MD5 042eac7e38d3f1235b731c52ba6e62cb
SHA1 e43097e193986eca9e710aaa62ceaa59eb4638df
SHA256 0379cfc03971793c6a364fd3dba0902507dc0577a6e7ffc65fe3e984f5c02c71
SHA512 7f7126d22d585b792ee8f0319203113e351bbb43c58f283aed027af3fca2ec5c68bdea8999d553f077ae6173c373a9163b136212ad938566a541bad2b1caae86

\Windows\system\spoolsv.exe

MD5 485cf8aea06b4d4d7fd1ed5449e057ab
SHA1 7f3551b97a8d10dcdc697681271fd147d35da476
SHA256 f7d1660bfd1541c7339ad38f92e3122ea12a101af5dea27d25c7e49188ccef60
SHA512 87af282c3af1d52a5169e035c2251071c654582bf9d0738b430acca3044a22a403eaad179cad087608c9c75f0116960aa0bf61a476abba9aa6a3b013d826486c

\Windows\system\spoolsv.exe

MD5 c1d86839b95302e13c16ba2545c88006
SHA1 0265daf0c6d6a5472f697cc8e09e03d43cbde8b5
SHA256 8cf16c96f5e04ecbccba97003b4899b056c953d4cec62648688719ac197354f1
SHA512 c9458a282d7ff672566084bb05599d2c2dc9bca1e80f020b5c47422cd97f9fb76c06408fbb0539bfcaf86c407e7c10f10fd4945ae44fbf14e38977247f4e067a

\Windows\system\spoolsv.exe

MD5 bb408058e1259c931f3661a0fffa58a3
SHA1 ab93b79d17ec61204dae6dec0235f66552b36e79
SHA256 9f1ea2839661dd7a6f136c599c556501447969eae88112c3e372bccb71f3739d
SHA512 cb79b24334cc43b3d1cc54c4e3a350bf01dc9b1705de954b4310571853966a02176ad1e43ba1a2ac85e71dbf5fa31cb12267ab1ad416cd2fde29259ee2e90487

memory/1972-168-0x0000000002E00000-0x0000000002F14000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 83aba96cbf89a0c2175fba7dda88e223
SHA1 9cf0f157a4542c227fd808991e839908198e168a
SHA256 96cbc475a0a0e0e857f973dd6921d565a66ea44dbd092175a08fbba5c90f822c
SHA512 d11d4f852fa294e128c332c5e623d5bf43788a1b06e441d2a026b736a883e39e017d7b6238d7ae56d3e731ff57618a4deb2882168686ce19f288c690a89c94b4

\Windows\system\spoolsv.exe

MD5 351e2a85b20f6e5551d2ef084867813d
SHA1 219c13a078fc38889fadeced5a6d3f4e924c72dc
SHA256 1e49254383e340b2e2134bfa6b53239bd6b821bc79c39f211e4b3f568a62667c
SHA512 79fd64cb333ca6a1ba68fa906ce070863a2881a68495751444e987a3d77357115484384812b2df096c98051c8bb79c7b1b24398ebe95fe807c52640582f6adce

\Windows\system\spoolsv.exe

MD5 89594c727cc88d9b10a7ac26c76cfaff
SHA1 fdb9a4dc31eaaff26ef7618b95c15c5ef09e5654
SHA256 c1b4be6e5cb260c1d82518d62611cbff73c9daf5d915c748ddd2eaa8b2a1f467
SHA512 f44aacb604e61fe54ed5e30ad49e0181e181b7d00ce61729759ce68de2eaf0467bc1c9b34dbad94f8a2b5d52babbf182a7d97332980ecc60181cb3ec37f7b855

\Windows\system\spoolsv.exe

MD5 3e06ca10a5ffa37d6ae32912c2adb229
SHA1 2c820d543430e16a4a02afe76a5d192062b83904
SHA256 72ed31bfcd1285c225ecfdd5f18a9f2c2c85b45197e1c12394c2aba288920f20
SHA512 b9b162fedecbac5eff0ca64420740192c7afef952447f881a377bb9657f3517227cec59cf796746a7338c5cc4a8a95b5175cd0483c63f4607a2fbbb233c053e2

\Windows\system\spoolsv.exe

MD5 80b0d7263e82fc67eff7bbe16d28c23a
SHA1 abc564e6d4c29c1497893383e11018a18c2a901a
SHA256 a3539844a4538250bb2c28c2628f40b8724acc99342f7dadb0b5249c691cbd3c
SHA512 ff72ae19ebdbe66c69763ecb99a20e1093e9ff4ece29c7b42fefe64292272cb02dc4b90ef6d533a5776497b5ad7cdf358ad3f015ff14ae1277634e8ea87c2fef

\Windows\system\spoolsv.exe

MD5 65130a730e03e9bed6e8446efa69a45b
SHA1 af4cce941e1cbf3f12494f68442de9bafa43f082
SHA256 a2d05dbe7cd195b7f5ee8f3f557055c75e1bb20c9c9d9aa8fbb38e63b2efb95e
SHA512 4e6debfedf8d0288331979c9507332fa00c4650affc34b627e9cb8f3b7ab438a086aa43c8a94a2bc2dc3ddb6fd62589d2236cb7b6abe103fd9a71e1d223bf422

\??\c:\windows\system\spoolsv.exe

MD5 f36852e1a248c6e8166bfe42afe271ac
SHA1 1a6fea804c037dba9736238b6f3f0c369596f48e
SHA256 5637ec4f788592178e85ed2d805ecdb6c182b0320414d72a9b0ccf5c8fc2d3a0
SHA512 d81b4ef36fdb210a917c41f29284651bfe756ebbd2ef6667e0797ef8b9ccba20d2fad5767e366199dc1d17c41c5a22844349eb085f233304571f2c7e2d78007a

\Windows\system\spoolsv.exe

MD5 c99c2b42bf37344d76d7c15ba4f2d934
SHA1 754207587ba1cdfb42e6b15c28a4587c05ae6559
SHA256 852a8429e960a4be097a0a865317f18c4bef8272cdf03d55847895322c3bb200
SHA512 14add7fc0d59b8dd5b8932723fc06fc0af0559d8305f84274c0106e0440da1034150a1317fc28274cf4e4f7db6adf1b962f2f33b94239f3ff664215b2eecb04c

memory/1572-206-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1908-207-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1972-209-0x0000000002E00000-0x0000000002F14000-memory.dmp

\Windows\system\spoolsv.exe

MD5 187bc17e8ae4717a467a9f0c8ffdd4bd
SHA1 b4fefe78805ee8f476d8ce48f41c84c87375ce64
SHA256 ee04356278adc3bd244fcefc90a75349a0728ae211fc999d282702f83e2fe8ee
SHA512 8178ce6fa831a57b241098cef28d480a0ff0bdf40db519c3479eb387b76bd9ccf59e3b4aec7649e3fe2411122a7337480dc20ba82f4af689d4809edd0c777b01

\Windows\system\svchost.exe

MD5 f4cc8f1ac29dd8d88aecff639ad60a8e
SHA1 c62477a609fe1e080a13927b8a1b4b13a270f739
SHA256 1ed9adb5c2e1c63d2d9d921fb7cc6670ce7953cb94b7c097b7f0c34c1a9ad078
SHA512 a09dc367c3501f7ff4a7a23e02a19d48e88314e495c1255e4180e807fb149a4f6d04d113c31979e0d20522ab9c5427b5d0244710c81731b4d573e1e8b590f360

C:\Windows\system\spoolsv.exe

MD5 ae12664bf72d04aad0f76c3d2903a6fc
SHA1 0fbfff71421cc9280ce44ab1f203c331b014a516
SHA256 f9105b37ac2f49175ed08b50cec407d4d703c708c9f72269b26d9128e8ddc8d8
SHA512 946a99f0399af9b24614007bb4cc598e03f409792704833d024e44f6e567154c89d02e1886198123321b98f154a67a3782b724c771e7d9e06b0bb62e76859357

C:\Windows\system\svchost.exe

MD5 fa5d231fa267388c70fb77eeb086ec80
SHA1 f5f3471d4549b731abd9349a843cf2623129e3bb
SHA256 eb888bb2bd7276e1729fb698696222bb0cf24590696cd68acf14fc7e8b9cfa03
SHA512 defda67cce1b47c5fc59950ac71a14494b9f8f5c6ec3265372379903c94a487d32e3bf271cc36ebbc17261b97ac90320028bf0e512a958b6f6a0d248ec0e5035

memory/3000-222-0x0000000002CE0000-0x0000000002DF4000-memory.dmp

\Windows\system\spoolsv.exe

MD5 9924cd5126b8f8e7ef1636aaa5e247c6
SHA1 9d6bc6309f8725eea40200cba8bca67df86bae9d
SHA256 cfe389ed68770b40e3453d5e44f088a71bbec1bc4d5e8c8666a5c6ac6163c7bc
SHA512 531cdb5fc9750933747e997601552bd2acae1ea3964d720b6c057f05c1176af1ccf70e1f648cd235c1df38957d43b6203bb4be6350ce5523dee43d2ec2e38390

\Windows\system\spoolsv.exe

MD5 e8e26d2b436e55a85a938c5ce3b09ae8
SHA1 a8c8e5d20dff2f736e984da1857a7a77659f8017
SHA256 01c6eb5a031bd1cfa829c660a5db0202bedb94b8615c305a7e2d66d47734665b
SHA512 c979864b158fd4db8c034e95b03849dd7b3e26264e83b4c57fb8cf8c592458d6a34078d8a92e701c1cfee5f239f7067c046a9e509baa3789799a37192e258e0f

\Windows\system\spoolsv.exe

MD5 d73803edb69db1f9c5dd1487bff9371f
SHA1 4653457b4756416678f05a890efe8ecdea0e2532
SHA256 42ffb94a00ce55c7c33ffae025cc69dca28f18d91f6fb4a3bbd42b05a897c600
SHA512 7f09b7a4b94ec653f4b90fb079f186e41bd8f5426e28b541a42944eb0b7c6e4c1f11f38dc60025df17b223544f4828107172a63e0c880e13581ebeb15432d8a3

memory/3000-232-0x0000000002CE0000-0x0000000002DF4000-memory.dmp

\Windows\system\spoolsv.exe

MD5 1213a52fbe31b6c73ccbd2113a9fb314
SHA1 5dc28b22c119ad0d689f11ec8a6d6ec531e664d5
SHA256 5a3bde6d11efa268c6f43df02ff9e3e7dca5ea6b80788beaa25e9686e7533d20
SHA512 2d16500bc29dd43eee7054344b163e39d784892dc402a7b3901aa0171b9c8b78275405f518045db7a716d35f7b45f99baedffe8fb6b546fbd6e504eacfffde3c

\Windows\system\spoolsv.exe

MD5 f82eebd6fee380d7623b7d343d03a6b5
SHA1 c47eb41595d369bdd4f1b0c72cd7c13d2604081f
SHA256 f8373cbd5edb9c07471f742c813296769bbedd5dd0fc9e1c81965e62ec19d74b
SHA512 f6d66a2c57aadb92198624d5ac921ea660164648411c719b6c6aef687691590c4477c7bbdf0d52a74149129e79947d289324cce10a307723cc8e47bbb60df6ab

memory/1972-225-0x0000000002E00000-0x0000000002F14000-memory.dmp

memory/1944-233-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1944-235-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/3000-238-0x0000000000400000-0x000000000043E000-memory.dmp