Malware Analysis Report

2024-10-24 16:46

Sample ID 240420-fx4qashd89
Target fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118
SHA256 006238b4055897309454555b2bf335843f09c9a106e5535ce5e9ded7cdb4a13d
Tags
warzonerat aspackv2 evasion infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

006238b4055897309454555b2bf335843f09c9a106e5535ce5e9ded7cdb4a13d

Threat Level: Known bad

The file fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

warzonerat aspackv2 evasion infostealer persistence rat

Modifies visiblity of hidden/system files in Explorer

Warzone RAT payload

Modifies WinLogon for persistence

Warzonerat family

WarzoneRat, AveMaria

Warzone RAT payload

Modifies Installed Components in the registry

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-20 05:16

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-20 05:16

Reported

2024-04-20 05:18

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" \??\c:\windows\system\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 4084 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 4084 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 4084 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 4084 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 4084 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 4084 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 4084 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 4084 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 4084 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 4084 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 4084 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 4084 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 2680 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2680 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2680 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4656 wrote to memory of 4208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4656 wrote to memory of 4208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4656 wrote to memory of 4208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4656 wrote to memory of 4208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4656 wrote to memory of 4208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4656 wrote to memory of 4208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4656 wrote to memory of 4208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4656 wrote to memory of 4208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4656 wrote to memory of 1964 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4656 wrote to memory of 1964 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4656 wrote to memory of 1964 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4656 wrote to memory of 1964 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4656 wrote to memory of 1964 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4208 wrote to memory of 3460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 3460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 3460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 3308 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 3308 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 3308 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4072 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4072 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4072 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4612 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4612 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4612 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 3628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 3628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 3628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4016 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4016 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 4016 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 1708 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 1708 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 1708 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4208 wrote to memory of 1420 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 4208 wrote to memory of 1420 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 4208 wrote to memory of 1420 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 4208 wrote to memory of 4856 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 4208 wrote to memory of 4856 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3308 -ip 3308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 864 -ip 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4016 -ip 4016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1420 -ip 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5032 -ip 5032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4260 -ip 4260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3544 -ip 3544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2348 -ip 2348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3272 -ip 3272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2840 -ip 2840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1504 -ip 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2912 -ip 2912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1164 -ip 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2044 -ip 2044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3676 -ip 3676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4180 -ip 4180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 984 -ip 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 196

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2108 -ip 2108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4548 -ip 4548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2244 -ip 2244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4480 -ip 4480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4508 -ip 4508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4528 -ip 4528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2768 -ip 2768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 684 -ip 684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1868 -ip 1868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1312 -ip 1312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2164 -ip 2164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2108 -ip 2108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3988 -ip 3988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1704 -ip 1704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1660 -ip 1660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1140 -ip 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3060 -ip 3060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4672 -ip 4672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2104 -ip 2104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2912 -ip 2912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3824 -ip 3824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1132 -ip 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1584 -ip 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3184 -ip 3184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4528 -ip 4528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1328 -ip 1328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2000 -ip 2000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3060 -ip 3060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 920 -ip 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5104 -ip 5104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1636 -ip 1636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4896 -ip 4896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1660 -ip 1660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2872 -ip 2872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3544 -ip 3544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1868 -ip 1868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3396 -ip 3396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3640 -ip 3640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3340 -ip 3340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 388 -ip 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3264 -ip 3264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2476 -ip 2476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1132 -ip 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3308 -ip 3308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1328 -ip 1328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2116 -ip 2116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 464 -ip 464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 892 -ip 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1256 -ip 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3444 -ip 3444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 984 -ip 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4016 -ip 4016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 892 -ip 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3160 -ip 3160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2156 -ip 2156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5068 -ip 5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3028 -ip 3028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 736 -ip 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3344 -ip 3344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2300 -ip 2300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2308 -ip 2308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5068 -ip 5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1504 -ip 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2956 -ip 2956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3736 -ip 3736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1944 -ip 1944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2112 -ip 2112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1284 -ip 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1380 -ip 1380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 940 -ip 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3396 -ip 3396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3176 -ip 3176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2872 -ip 2872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3392 -ip 3392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1248 -ip 1248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3684 -ip 3684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 980 -ip 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1580 -ip 1580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1132 -ip 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 3916 -ip 3916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 4512 -ip 4512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 832 -ip 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 1256 -ip 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3544 -ip 3544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 1592 -ip 1592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 1944 -ip 1944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 2072 -ip 2072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1892 -ip 1892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 2156 -ip 2156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4168 -ip 4168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 216 -ip 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 196

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2840 -ip 2840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 192

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/4084-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4084-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4084-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4084-3-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/4084-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4084-6-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/2680-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2680-14-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3924-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3924-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4084-18-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3924-20-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System\explorer.exe

MD5 312f91c090a1a29a065c56e232b2d94a
SHA1 ec23fab3688736cfcadd286fd918d5f7236851dd
SHA256 eca427269bc2e1f4b6e41b8ee28ecf5e49d4ac06bff2d9ab16e1a2356a06168b
SHA512 21dd2265f3990b259c726e1708c9fe48f89a09585fbf61c73c149f714c345cb302b529381d1be88903987f86aa41c90b02dc5feddbed2dab586551ff67265ff8

memory/4656-30-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4656-29-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4656-31-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/2680-33-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4656-34-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4656-36-0x00000000006C0000-0x00000000006C1000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 fc023d88a1bd179e0fe52bd15728bc47
SHA1 0237d102150c2056b50eb9555a6dc25a53dd993e
SHA256 006238b4055897309454555b2bf335843f09c9a106e5535ce5e9ded7cdb4a13d
SHA512 32b3bef07d89046419ccb51cf0c332a3df9a18adb623d31c80dce40180ad2f1717588a6a21e306347f1e438586138bb506aa84ef8957ed186b446320d2b9e9f6

memory/4208-47-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4656-50-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1964-53-0x0000000000400000-0x0000000000412000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 4de4d7c4ed4e5527b68db11f977ab537
SHA1 2b688bb1f434b79170366cf6dff7214fd12de41c
SHA256 47dd920b95e8ac773d81d67fc3e76393cc4afb6aad6113032f5147dc4b7f391d
SHA512 75cc2965ad83b8c4c8d63bd2c0af737142620b74bb8e9b177fc454f517ce28155f631b51af5b9506cd35434c8694b36e2df6c0cc4af81e8071449d532adc439b

memory/3460-62-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3460-61-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3460-63-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3460-64-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/3308-68-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4348-70-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4072-73-0x0000000000400000-0x0000000000514000-memory.dmp

memory/864-76-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4208-78-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3460-81-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3460-83-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/4492-89-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3544-91-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3592-95-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2912-99-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4180-106-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4848-109-0x0000000000400000-0x0000000000514000-memory.dmp

memory/984-111-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4888-113-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4548-117-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2164-130-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1704-135-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4672-142-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2104-145-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4244-146-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1764-149-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2872-150-0x0000000000400000-0x0000000000514000-memory.dmp

memory/644-151-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3544-152-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3568-153-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3264-154-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4744-155-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2116-156-0x0000000000400000-0x0000000000514000-memory.dmp

memory/464-157-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4820-158-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3444-159-0x0000000000400000-0x0000000000514000-memory.dmp

memory/736-162-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4460-163-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1504-164-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2112-165-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1580-166-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4840-167-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3524-170-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2072-171-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3460-182-0x0000000000400000-0x0000000000514000-memory.dmp

memory/5068-183-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3608-189-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3608-190-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3608-191-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/2908-192-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4208-193-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3608-194-0x0000000000400000-0x0000000000514000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-20 05:16

Reported

2024-04-20 05:18

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 2244 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 2244 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 2244 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 2244 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 2244 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 2452 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2452 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2452 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2452 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3016 wrote to memory of 2248 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 3016 wrote to memory of 2248 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 3016 wrote to memory of 2248 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 3016 wrote to memory of 2248 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 3016 wrote to memory of 2248 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 3016 wrote to memory of 2248 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 1980 wrote to memory of 2328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 2328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 2328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 2328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 1620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 1620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 1620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 1620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1620 wrote to memory of 2276 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1620 wrote to memory of 2276 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1620 wrote to memory of 2276 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1620 wrote to memory of 2276 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1980 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3008 wrote to memory of 848 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 3008 wrote to memory of 848 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 3008 wrote to memory of 848 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 3008 wrote to memory of 848 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1980 wrote to memory of 1292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 1292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 1292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 1292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1292 wrote to memory of 1532 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1292 wrote to memory of 1532 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1292 wrote to memory of 1532 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1292 wrote to memory of 1532 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1980 wrote to memory of 980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1980 wrote to memory of 980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 36

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

Network

N/A

Files

memory/2244-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2244-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2244-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2244-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2244-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2244-6-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2452-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2244-11-0x0000000002EE0000-0x0000000002FF4000-memory.dmp

memory/2452-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2452-14-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2452-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2452-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2428-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2452-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2428-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2428-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2244-35-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2428-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2428-38-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\system\explorer.exe

MD5 ea32aa722bd385282fc04374e89be224
SHA1 e21e0b54016c000d74d8c958e3c12439f0cf3a8d
SHA256 eb642981ef5da4975b03523bdd693942b73b9167fb8aecf847c01e80fca44c36
SHA512 ae96110a30bdf770070181d78ca787f673c13e126d9c8280b0d5ce6f286ac39d96f6be9301d3c286e19947c4229906373ed43a4d2a70667b67063d1af47eb031

memory/2452-43-0x0000000002E70000-0x0000000002F84000-memory.dmp

memory/3016-49-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3016-50-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3016-51-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3016-52-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2452-53-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3016-54-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3016-56-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 fc023d88a1bd179e0fe52bd15728bc47
SHA1 0237d102150c2056b50eb9555a6dc25a53dd993e
SHA256 006238b4055897309454555b2bf335843f09c9a106e5535ce5e9ded7cdb4a13d
SHA512 32b3bef07d89046419ccb51cf0c332a3df9a18adb623d31c80dce40180ad2f1717588a6a21e306347f1e438586138bb506aa84ef8957ed186b446320d2b9e9f6

memory/2248-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3016-85-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2248-88-0x0000000000400000-0x0000000000412000-memory.dmp

\Windows\system\spoolsv.exe

MD5 4d1a5c505cf72559c95bedcb95756530
SHA1 a321d23a41c270970859f0f23d22490822144bbe
SHA256 72b50a155452d68d2ec5b0e187cb6fb23b31d7bc7dd4f9e1f8781eea5d28bc27
SHA512 2444f0e481452da377305ae35fd758f3ad607be33b4a7c8cf406e062085488b2e67e2a215a0d34111e01921efa1b79a8ede7a14e6c4b9fe58ae9447ebeb3467c

\Windows\system\spoolsv.exe

MD5 2ff7d3118b3de0fc0016637984ac07de
SHA1 11369c1339c27ff4b9db52bf9a16a7b87646fd49
SHA256 c44215717d519a8c26d71a8b8eaa2ec3733b0bbb36dded51a04aa386bd3eac11
SHA512 5d39eddeb4f3a3ee96a556e8abf23d34c5006e29c93842accf950c6f40dbcf4311d278a252d0ade2924c05c77012e44cb10d319f65b3eabeb8e7bc1a633a0197

memory/2328-100-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2328-101-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1980-99-0x0000000002E00000-0x0000000002F14000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 3cdf893d37ddee91bca730d9867449cc
SHA1 7fca62f44077f1a9da13c44167aeebdba0799d59
SHA256 059d71647e98b0a752833662385107b88dc4b85b6a22256ea39f9151e520b2e8
SHA512 c58c63f4018118f42bb26824abe7b01c89b51dd5bb41a97fdbdd33cf48e2f02b8babcd120e1c44b59c495d6a9d5eef5a0ddbeb44fe0d38d18395eebf49fb3a26

memory/2328-102-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 2cb25d41764f4e81cf13f0bacf6ccbab
SHA1 91b3c3524f59b84d3721d8a6b6b624d92be8b2c1
SHA256 a7b31ccf6c7a1769df590efde49391a65a102b6ec063cc73e051d8b8fbc0d848
SHA512 769f7f7c859fb4ed626a3986ef56a56f9a4403ad84f13005632c19c0d0b3460c6f5fdac62cae75c45dc473452056f00912eb51261911307df21d78967c2fb678

\Windows\system\spoolsv.exe

MD5 8e3f6020807dc87d1c021a535e9f068c
SHA1 3b3381e687c784367f556983bccdbd14fdc13327
SHA256 a529b7a3ceabf686e67471f146a6ddfd278e19ca96e0b27b30c9ff0852fbe1c8
SHA512 a33bed3c3e07be93455e1b8411b31c3cade34955bd2d23bd5908eb164a17d686b05b45136296238b1faf77b8f26adfa81de261338c715d3a4a83198e230514c9

memory/1980-114-0x0000000002E00000-0x0000000002F14000-memory.dmp

memory/1980-113-0x0000000002E00000-0x0000000002F14000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 933c7090edd190c5696ed39667ddeb84
SHA1 a5b4c918ee4256b21b1afcd8104f81b5102dd081
SHA256 08f99ad989576e38ed66fed00d7eca9ed1badc6d24e37fde3f68726cb325b548
SHA512 5f77f9b5df46676ecc1786270f218fc523cabb7dece15a5997c31e1e888da6d1a276297855396a599d52cad6f63c2646d9b4714af50a81b47123aa85d2a8fc8a

\Windows\system\spoolsv.exe

MD5 13f8b6a318383c73349ad4acaef1c37b
SHA1 70c954d06f453bf40efa09553604f5cbdf194f88
SHA256 7e0c19ecfd95a0ecdeea30712cb1c32539c7bf8397ff02af69f4fe0027055546
SHA512 67587ed5a0c5fd90b058079cd097385753859eb7afe1c2276c38adc3b7b16c9b4336f19cfc58e93e748273ececbe361047f94e3866c98b2eff46cce164fcb0c2

\Windows\system\spoolsv.exe

MD5 4012d263ef92c5881d0abfc3f06a86bd
SHA1 2410c2111a88f446bb6cf3cfd48bd22493c08f43
SHA256 6094e882d5ca77381ffa35892856126aee9dc5b34e7a0ea0a4c65ffde0dcecbb
SHA512 4eda592db187265c64eb44f9b3c660781ee142d2f735a5b35b7a4d5713a68fb1cf91a2dc527bbdb17b33935038eb11c0008703b3e454b7986424f4cb1fbde50c

\Windows\system\spoolsv.exe

MD5 6003d3ea51cfbda7e61385cca1bab3a6
SHA1 002950ff8c559b1593331e69a1d1a44f93a12cf1
SHA256 9c36c114ce217f38e5d8bbfc59d7e157b3ccc8c1d50983e722e91911b1ca6c0b
SHA512 d681dfb8380274aaa8103787e7d40c26aa27d1028b3a0650826e004b2d70b4ac401d01884d85164e68afdacc3df2b8138b9060ad760a875076934d873a1eecbe

\Windows\system\spoolsv.exe

MD5 9b9983645bec0a9599dc7ab07eca707e
SHA1 51a992ee5e96c18b3ffdb9cbea51cf431f4d9713
SHA256 c56afb3539528284fb97a43edf9cccb1f2e905b496e4b5d4e52d8bf4e2f14af0
SHA512 36384c552f515ada5257c17a5c897b72a3a0d75c04dd42e79e125bc0a698cd22b58da1b855843373d507c82be40d5d824b8551e0a80188cbd4c6829bcc58d8f9

\Windows\system\spoolsv.exe

MD5 2a24a9d210533ef7bd57964edb699d9b
SHA1 c3385a9ca1e8e1ab90c81e423152bf3e6d22f297
SHA256 b4a7c7b3d89963f01264f51b6ef61d7d3e56ec7989b990609333d0a2e064a671
SHA512 2532bdd2be3302eb57805cdef94985c7c5273d82af5349aafeb1cc3caf15c3ab1f2bdff0029b0fd22177426b0028136b3206fa8af138e458faddee0c87de5df9

memory/1620-121-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 1070097faa12a39fc2bf641333ceadcd
SHA1 0274d58cb6f0ca47fb7be4d86630e1f5b42b329e
SHA256 65dc598aca7c2519275b4cc8cdafe7f585892a6d00c90b73cd963b4ab4dca6cc
SHA512 1adbe009f644212c35be769589929630d989b97139d0873bf61820b961e8c53674c37b5be9e2c402120bd18c5f432f3b2691b09157010255b414da20ad8ecae6

memory/1980-123-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 4734234853df5bb2c3bc178b33e4a429
SHA1 33a3b9d4b05edb35213730f26e14d914a0b9092f
SHA256 921508bbbecab1c655657e725192131e6197a1990844809e6c23654a3a27a9d5
SHA512 f6cc65693a1bf006f0b9ecd6e32fd2adc2af675b9ca0b09c2d43501f9c119131ade598ed3bf10eb61ee2f6c98092f4c2ab8988f389dde28bffe03c667d8fb84c

\Windows\system\spoolsv.exe

MD5 01cf48a25643cee7497d7609d45addf1
SHA1 df4c03a689cfa6ec299d5bb86763dc6f25905cce
SHA256 030d195bcea6347ce12758f11640d9193ef18083f34801ff792c2c47f731fc62
SHA512 d0408110d3098c7857adbeabd6bd1e549c74467346d8ae1f5aa1eef65bed7d6565aa5e607f925209d01e8f463e548afb9a978578ac15b690503f678211632238

\Windows\system\spoolsv.exe

MD5 587a65d146089ecc69441b031a46a452
SHA1 d6150b6edf4da6ac577eca9ae956ef51284ac99c
SHA256 3c537156249d8fced6bf45fc2f4ecc931ac0d19518abf16988d00716d28dc071
SHA512 b94aa4ade532d4001441cc2ffce1f29bb0f1e6a4e24c0c7a7296dc99395c70ed526440085166e0c14f872f38661a4c354647fb58a05d8b12d2e5b4e18e193251

\Windows\system\spoolsv.exe

MD5 dd95434af2d0eb38b2d8925af73aa2f7
SHA1 5da1b7a1333605698ec410cb2f2031668ffae45a
SHA256 5dd7d09634dccbebe5e0903c50623020e4a25063e346d8d89cc3b97ac0e9edbf
SHA512 85b27df2d80c326916c03d22fde7aadbbbd21c8ac7439003d6a49e8d38feadebe102c36b0e4dc7e8891480080fbd1dc0157304f79540249b6779fedf9434cc85

\Windows\system\spoolsv.exe

MD5 88143dbfb9983385d6bbfcf5ec062d50
SHA1 638fe4ba6f08647b800557e7ea05dfefcfe67a5d
SHA256 64414dfdf7a71f4b24d9578a0b9bd0220f80716d9d991f6d06b83de5eca509f3
SHA512 f1da969a708ac1661787c57bd314a67e39a68cb34b600059189bac05d4c3ce573413f0baad80d2a319bd78b59796bb9e9993ad303f33bfcf4ac6cc31644be8b4

\Windows\system\spoolsv.exe

MD5 490d8238c5ac051efa24f5e81c82a88e
SHA1 cd4517ab4892d204506fbcb886e1b559508322e6
SHA256 ffb566410236c4bdbcd67c1225fdf90e9e70ebd0704770562a6edab05b8b919c
SHA512 3becada8af54b820b7aff12a9c82506fdd2884e4b12efc605be8a82ac813d87be6ba98020f466d5ef493dfbc6f540f0359ffb22324993870b74cb0de16868215

\Windows\system\spoolsv.exe

MD5 98171e03f0c92601edb16a4db00d1a63
SHA1 1a65f1bad14dd44ef52cd33d7d9e00585913d905
SHA256 f77d8da2a7621d968aa0d391f6c3a279dc8751db429b16f27f8ab71c4cb0e4eb
SHA512 933a60e1b5a5b95da0882a3f348746c341662fc95432aafe8713eec1c20fb94161ad34b0ac2bea598133451167320db3535d614c904b0ab1d189803a444ddf96

\Windows\system\spoolsv.exe

MD5 0de5f37fd1e34a18d013bf7fa3723e58
SHA1 571552fb69eb1d212275ce805b8a4e528650664c
SHA256 24c55074101aa2d318c0cfdd681b73a119b0d0c497a4495ce09b1b0e44789db5
SHA512 7b368dfe0b3449c04427bf1012620dc4c3e4f58d3112fefef94fbe82c7e4b81e8dd9d48b3a9f1233efc059bd932325c42da916eab4d6585062df4021b71706cc

memory/2328-132-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 f5ca97d246bcda258d4460b94e9bd559
SHA1 ace92b0b7703125e598aa9cd9bb1a719da5ec343
SHA256 7afda2dfc8d230f3d4c4405f3f50c464dc0b7377a832e1fe01a76b8979ff5da8
SHA512 9e2423a5dc414ce0c4d7112011440b1f19afed656b973ad8deb9bf123f7739ff0bce0a4c16c955c2eaf32df790e1f8c615f66a4d450c506703229433a0595650

memory/1980-140-0x0000000002E00000-0x0000000002F14000-memory.dmp

memory/1980-141-0x0000000002E00000-0x0000000002F14000-memory.dmp

memory/1980-142-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2328-144-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1980-153-0x0000000002E00000-0x0000000002F14000-memory.dmp

memory/1980-161-0x0000000002E00000-0x0000000002F14000-memory.dmp

\Windows\system\spoolsv.exe

MD5 3576704d4116066092ca4c6cd0381753
SHA1 8490b9fe04ff64d4e9df64aad3bee1d10dc7dc5f
SHA256 783e510ade99f8f888977fb86c8114d46f8d72613a62b8da662ca1da80dd3ef9
SHA512 dd6d0b1652e75d56c57b0f84eda7dda51aadbab1cb3224db4536024be6acac773a17eb4d72dd42c488b298039e682e1be67521653a547188b1599c1d38dae3f0

\Windows\system\spoolsv.exe

MD5 0ef4b0336835b20e5d6f76dad925a6f9
SHA1 50d888cb6c4878aac863bc66d8fba4716f7ab1c9
SHA256 00efdd1e1f95b33e0a93cc0fe1718e42ec60037fb5d3a413ce6cf1ba7a85525c
SHA512 c4575c1601dee032684da3268b40df79091534808f9350ebbe7c52c16c3bdbd8777e79143da502a185c56d914d50a255f21d236203209310c69fb0ecd3f7cd36

\Windows\system\spoolsv.exe

MD5 95b6ff2fb13391158c7f8e96c26af820
SHA1 c036259f512bf2020f36b369efeaf47332fcabfe
SHA256 588e5117e3e98c29cba835e4422bde6a7c280f9c5797ea83bfc7326b5fc17a37
SHA512 feb326c3bf362fc740410b300c1226a8a2ab05015f653954b715f08dcf91e418626e8877698665a6cacc455a13a45ee8f2633b1438741ac7249f9614d09e31d1

memory/1980-154-0x0000000002E00000-0x0000000002F14000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 1c56d4a631066ffcb996fb9adc63b8c3
SHA1 2eaa1ec7d742b9c0c1598753391d9a93a91da06d
SHA256 1b5ad4223f7100f575e3444050b11ab5c66256a82cce416d4b5a120f1e6d8ed9
SHA512 ba5ed00ebdc78d89ec373daf610798e78c184abe2ea1747e2debf69ea953a07a4b355142271f995e209e6fbb744fd21f9668ffc91e8e77d14fda20f6f90881e0

\Windows\system\spoolsv.exe

MD5 09de68e1fc21c3fe26ad11208fd37ed9
SHA1 cd25f0f54a4d02daa6fde902f46ec377711d9133
SHA256 8c3076b042958ad3be9a87f678f21e03379fe58ae6179fca6d3a851e56297a88
SHA512 38f007aba37ba83c996702a3d87144de55c2832d3b0ab74ae1b5cd5e00a0eb05fb7fd45d84ec2fb61550db5de733b64e5e42927e86d8e7920f82fe6ef15c52fc

C:\Windows\system\spoolsv.exe

MD5 f25210466aed0f4ffee22a9c764fc0dd
SHA1 fe7adb8de8f37e54d29b4e3ae5e0c148c3950348
SHA256 613cdf400faf3242e680e2c812d35721d12a0a16f5e7178b50c37e3facef927b
SHA512 3ce854ee9c2c9b8474fd299ad790b2c366309b5594e203adb015914d4d1a0eb81d60d68bd710adb77340611be6f7bc1020dd27d14548f81b336c1ced0313c429

\Windows\system\spoolsv.exe

MD5 9e013c2c683b0c16c73e05df6a9fe06c
SHA1 ad1cae6a6ecb5e06a74790b249223c98f478cfc4
SHA256 598e8c6855883acee3bf13ca16b38b3f27fb85becaabc9b0453c1de873517dea
SHA512 34bb6f78df3ba2c3cf98b4b37316d7517cacba1dffe991f3cb35917e4953ffdd24d145789bd2e831e5158e1e99957f85d28974203344971a2f15d54a3ba11aa9

\Windows\system\spoolsv.exe

MD5 2856991df776b5da88e4f455d7a100e2
SHA1 a0584fed70375b1f4045d89cd14de7d24cb0330b
SHA256 e94ec1b0b96e48cb6c1bc905e70cfecc749cfaab8796071dc9bed50a6a5e7995
SHA512 bb00a9634808d84e0dd5429d9536a95645ccf1b8bb0550f22d37225f07bb5be64e65ddf435e526fe06d92efc185a577eb64f20c9532a3095dfc39b9889a312e4

memory/1980-180-0x0000000002E00000-0x0000000002F14000-memory.dmp

\Windows\system\spoolsv.exe

MD5 33aa86b27ab9123e9fbc61ef7c4bf949
SHA1 c3ef794787ef89c1db76c9141086d04a8be94b5b
SHA256 28844b5a56d3b4a29fea7ccfacad3ea941cae4bfa79c53c8cda471fc22d6c461
SHA512 9871204eae0e3391e1fe47a619f0dab3cfe07a26dd2b2e74629d43543d118561688ee3ce887b145e346fc86c0c055a54faa28c40201433b86e91b0faf7c0e728

memory/1980-173-0x0000000002E00000-0x0000000002F14000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 45eee4932b7a43bca1e24193c2a627d8
SHA1 3962bd58e272c4b826df31c275c4618d6857b578
SHA256 77db0f6d41d00d3ce61b6813e4d00c701581bc8ee319c5fece447c239bfa8a21
SHA512 4410454103fd9888e494ce54f295afda80835a9b0a31fcb8ac8253d84cb8fd46768108540867486d9e1baa5f82b11f3c8afe2ffba3bf7afe29f197e26f8c78af

memory/1980-187-0x0000000002E00000-0x0000000002F14000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 f13d945fc143f9e56f2dd7fb8f0c22db
SHA1 b6a2212fec6edbed6365a04314fe8a691202ff14
SHA256 d8ce6ffe52757da485e271f787bb472c8c2cd86d237ac2d9d14d2f18b6f3a05b
SHA512 cbb8d52e99d5b489d2628b23ad5f0463e2cee60ff3719a4df844b0388afb67cc247ec9ea703341dcbd4b67e4254963cff7bfe33e2122b0b79b7bebb145fb90c2

\Windows\system\spoolsv.exe

MD5 19b7810a41d958e81014c9689c6cdbd8
SHA1 21955729a6b95b9ea6ab7e30be8ea52e685961f6
SHA256 6bed24df2fd64da5d626a54d33a421428e94de09d6177e919dd8c72200388410
SHA512 3369e47d71040f1dd0d7a103d7cc7d4099291b60bde9daa2d155ca6625c0e613426962e13ddb35e8343e84a41705daaa3741050e54dd132c32b7d4c6493ac3b7

C:\Windows\system\spoolsv.exe

MD5 1830d2d7f591f068cfd66ca58f388937
SHA1 d15c069d06a6757e9606482a55fc21f732ecb792
SHA256 4857e2c9b78ae8157cd5d2e2141ae3cd0f5d6e5ab189f4f272e851d2be05550f
SHA512 79dce227e6308d2daf72610faa1be2e50298754b1efdc635656e4cc4e062d825c55b1bb37f98148ed24fc777096b98419b368865ab24fc0099143ee484d515da

\Windows\system\spoolsv.exe

MD5 5977cb99cac3518905f28f1435f09a3f
SHA1 519b3dba4444b4951e596aa4189b6d74a29f5282
SHA256 908131b315e80afab303849ce7fffb6342ae8764755467d552d92553ed30014a
SHA512 18adfc031e7eeb243d0b512ae2b3411ca58f72599e61942c33be8b41f78fd4561a2661bcfd2cb5d7b74bf49d55aadc0b4d9cde82d4776118644d672a23b52b1d

memory/2328-226-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2112-225-0x0000000000400000-0x0000000000412000-memory.dmp

\Windows\system\svchost.exe

MD5 aff44c7d0dad962c4ad7fbf7cddaa967
SHA1 e2d017d7b764eb6b051bb34439d18f7576559883
SHA256 03c3933352e796c129cfe3663f27859539f04213ea981cb898f01c01b462f102
SHA512 0e8fe1709b67f0a3c9991273b390c96b8600ae83e8178904610654ed7507eae1172c66cb6dca59172a1d072544568ef9ab28aea069a64ba53f406f1f441dfaec

memory/1980-234-0x0000000002E00000-0x0000000002F14000-memory.dmp

memory/2664-238-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2336-240-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2664-237-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2336-235-0x0000000002DD0000-0x0000000002EE4000-memory.dmp

\Windows\system\spoolsv.exe

MD5 bc67eabdc67a31c285f62de95d2e506d
SHA1 932423d4e64640d3a0433f826d863a50da65a5de
SHA256 55739be04a6c9328f7b48595d8dabe7148a7dea71a9424fc4977667f3352bfcc
SHA512 57a6f9dd0d3c2c084e8d7a162cd948a8320838979114ac9a1cdec12525a4b637161ac9c4f6eb2ff6b0d64e762ab26c60cc5b6482ec5525ac9c377904df1d410b

\Windows\system\spoolsv.exe

MD5 1f06cc50398dbb589a977f5ae6c4a10c
SHA1 1edb14c8add50a2cdf07e2a4efd2345e435ef41d
SHA256 d30e3b0e3b48442f5561804ae5ae4af33143c3189d8ab1cbb2372267084aa017
SHA512 d55ee7bbb5834b47d1781c8eadabfe71001bbf3c332e50df7daa593b3390b7234a268a29224eeefcb47c1bccb7e028ad14e999327e66da172e28729efffb4479

memory/1980-243-0x0000000002E00000-0x0000000002F14000-memory.dmp