warzonerat | 00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
Size

8.2MB
MD5

7dd8d10794bc0b3b57785f0972bd1fb2
SHA1

dd6dfe9275987f83323979ddf528e28ac193134f
SHA256

00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541
SHA512

26323e65f6f54e0da8e0febc24befa9deec7a605155bd0ea6ea5d73bb2390aa58e0c312b9399044ee0a21d964e443d367a9e56605cd88a1276116f4578d387c6
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecH:V8e8e8f8e8e8M

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2892	explorer.exe
2168	explorer.exe
4692	spoolsv.exe
5032	spoolsv.exe
4352	spoolsv.exe
1420	spoolsv.exe
3884	spoolsv.exe
4796	spoolsv.exe
1480	spoolsv.exe
4124	spoolsv.exe
3504	spoolsv.exe
4360	spoolsv.exe
4916	spoolsv.exe
3104	spoolsv.exe
1732	spoolsv.exe
4756	spoolsv.exe
916	spoolsv.exe
1920	spoolsv.exe
4028	spoolsv.exe
3752	spoolsv.exe
1844	spoolsv.exe
3684	spoolsv.exe
4668	spoolsv.exe
944	spoolsv.exe
4316	spoolsv.exe
4004	spoolsv.exe
2588	spoolsv.exe
3688	spoolsv.exe
3780	spoolsv.exe
4356	spoolsv.exe
4436	spoolsv.exe
2416	spoolsv.exe
4092	spoolsv.exe
2840	spoolsv.exe
1188	spoolsv.exe
4224	spoolsv.exe
4680	spoolsv.exe
3716	spoolsv.exe
4476	spoolsv.exe
5072	spoolsv.exe
5024	spoolsv.exe
884	spoolsv.exe
3320	spoolsv.exe
4352	spoolsv.exe
2832	spoolsv.exe
4008	spoolsv.exe
2140	spoolsv.exe
4120	spoolsv.exe
3892	spoolsv.exe
1120	spoolsv.exe
3292	spoolsv.exe
2928	spoolsv.exe
4404	spoolsv.exe
3796	spoolsv.exe
4680	spoolsv.exe
4432	spoolsv.exe
3420	spoolsv.exe
1548	spoolsv.exe
3916	spoolsv.exe
1680	spoolsv.exe
3912	spoolsv.exe
3488	spoolsv.exe
3160	spoolsv.exe
4344	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exespoolsv.exe00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2044 set thread context of 964	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
PID 2044 set thread context of 3052	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	diskperf.exe
PID 2892 set thread context of 2168	2892	explorer.exe	explorer.exe
PID 2892 set thread context of 3788	2892	explorer.exe	diskperf.exe
PID 4692 set thread context of 4320	4692	spoolsv.exe	spoolsv.exe
PID 4692 set thread context of 3820	4692	spoolsv.exe	diskperf.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exespoolsv.exe00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1356	5032	WerFault.exe	spoolsv.exe
5012	4352	WerFault.exe	spoolsv.exe
944	1420	WerFault.exe	spoolsv.exe
4556	3884	WerFault.exe	spoolsv.exe
3444	4796	WerFault.exe	spoolsv.exe
2028	1480	WerFault.exe	spoolsv.exe
4320	4124	WerFault.exe	spoolsv.exe
4784	3504	WerFault.exe	spoolsv.exe
2140	4360	WerFault.exe	spoolsv.exe
4064	4916	WerFault.exe	spoolsv.exe
4512	3104	WerFault.exe	spoolsv.exe
2236	1732	WerFault.exe	spoolsv.exe
1804	4756	WerFault.exe	spoolsv.exe
4288	916	WerFault.exe	spoolsv.exe
3996	1920	WerFault.exe	spoolsv.exe
732	4028	WerFault.exe	spoolsv.exe
448	3752	WerFault.exe	spoolsv.exe
3984	1844	WerFault.exe	spoolsv.exe
3704	3684	WerFault.exe	spoolsv.exe
2560	4668	WerFault.exe	spoolsv.exe
3216	944	WerFault.exe	spoolsv.exe
3916	4316	WerFault.exe	spoolsv.exe
1364	4004	WerFault.exe	spoolsv.exe
1976	2588	WerFault.exe	spoolsv.exe
4120	3688	WerFault.exe	spoolsv.exe
3624	3780	WerFault.exe	spoolsv.exe
2344	4356	WerFault.exe	spoolsv.exe
3484	4436	WerFault.exe	spoolsv.exe
2928	2416	WerFault.exe	spoolsv.exe
3464	4092	WerFault.exe	spoolsv.exe
2332	2840	WerFault.exe	spoolsv.exe
1092	1188	WerFault.exe	spoolsv.exe
4920	4224	WerFault.exe	spoolsv.exe
1844	4680	WerFault.exe	spoolsv.exe
1788	3716	WerFault.exe	spoolsv.exe
560	4476	WerFault.exe	spoolsv.exe
1644	5072	WerFault.exe	spoolsv.exe
4792	5024	WerFault.exe	spoolsv.exe
1948	884	WerFault.exe	spoolsv.exe
3256	3320	WerFault.exe	spoolsv.exe
3936	4352	WerFault.exe	spoolsv.exe
4004	2832	WerFault.exe	spoolsv.exe
2528	4008	WerFault.exe	spoolsv.exe
5100	2140	WerFault.exe	spoolsv.exe
808	4120	WerFault.exe	spoolsv.exe
4228	3892	WerFault.exe	spoolsv.exe
4444	1120	WerFault.exe	spoolsv.exe
1196	3292	WerFault.exe	spoolsv.exe
4560	2928	WerFault.exe	spoolsv.exe
1464	4404	WerFault.exe	spoolsv.exe
4964	3796	WerFault.exe	spoolsv.exe
4336	4680	WerFault.exe	spoolsv.exe
3192	4432	WerFault.exe	spoolsv.exe
5072	3420	WerFault.exe	spoolsv.exe
5024	1548	WerFault.exe	spoolsv.exe
4116	3916	WerFault.exe	spoolsv.exe
3600	1680	WerFault.exe	spoolsv.exe
4324	3912	WerFault.exe	spoolsv.exe
2832	3488	WerFault.exe	spoolsv.exe
852	3160	WerFault.exe	spoolsv.exe
1808	4344	WerFault.exe	spoolsv.exe
2524	3768	WerFault.exe	spoolsv.exe
2844	4120	WerFault.exe	spoolsv.exe
4656	4572	WerFault.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exespoolsv.exespoolsv.exesvchost.exe00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exeexplorer.exe

pid	process
964	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
964	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2168 explorer.exe

pid	process
2168	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exeexplorer.exespoolsv.exe

pid	process
964	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
964	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
4320	spoolsv.exe
4320	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2044 wrote to memory of 964	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
PID 2044 wrote to memory of 964	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
PID 2044 wrote to memory of 964	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
PID 2044 wrote to memory of 964	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
PID 2044 wrote to memory of 964	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
PID 2044 wrote to memory of 964	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
PID 2044 wrote to memory of 964	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
PID 2044 wrote to memory of 964	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
PID 2044 wrote to memory of 3052	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	diskperf.exe
PID 2044 wrote to memory of 3052	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	diskperf.exe
PID 2044 wrote to memory of 3052	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	diskperf.exe
PID 2044 wrote to memory of 3052	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	diskperf.exe
PID 2044 wrote to memory of 3052	2044	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	diskperf.exe
PID 964 wrote to memory of 2892	964	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	explorer.exe
PID 964 wrote to memory of 2892	964	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	explorer.exe
PID 964 wrote to memory of 2892	964	00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe	explorer.exe
PID 2892 wrote to memory of 2168	2892	explorer.exe	explorer.exe
PID 2892 wrote to memory of 2168	2892	explorer.exe	explorer.exe
PID 2892 wrote to memory of 2168	2892	explorer.exe	explorer.exe
PID 2892 wrote to memory of 2168	2892	explorer.exe	explorer.exe
PID 2892 wrote to memory of 2168	2892	explorer.exe	explorer.exe
PID 2892 wrote to memory of 2168	2892	explorer.exe	explorer.exe
PID 2892 wrote to memory of 2168	2892	explorer.exe	explorer.exe
PID 2892 wrote to memory of 2168	2892	explorer.exe	explorer.exe
PID 2892 wrote to memory of 3788	2892	explorer.exe	diskperf.exe
PID 2892 wrote to memory of 3788	2892	explorer.exe	diskperf.exe
PID 2892 wrote to memory of 3788	2892	explorer.exe	diskperf.exe
PID 2892 wrote to memory of 3788	2892	explorer.exe	diskperf.exe
PID 2892 wrote to memory of 3788	2892	explorer.exe	diskperf.exe
PID 2168 wrote to memory of 4692	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4692	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4692	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 5032	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 5032	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 5032	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4352	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4352	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4352	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1420	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1420	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1420	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3884	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3884	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3884	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4796	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4796	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4796	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1480	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1480	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1480	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4124	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4124	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4124	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3504	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3504	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3504	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4360	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4360	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4360	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4916	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4916	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 4916	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3104	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3104	2168	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
"C:\Users\Admin\AppData\Local\Temp\00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe
  "C:\Users\Admin\AppData\Local\Temp\00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:964
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4692
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4320
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 192
        6⤵
        Program crash
        
        PID:1356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 192
        6⤵
        Program crash
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 192
        6⤵
        Program crash
        
        PID:944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 200
        6⤵
        Program crash
        
        PID:4556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 192
        6⤵
        Program crash
        
        PID:3444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 192
        6⤵
        Program crash
        
        PID:2028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 192
        6⤵
        Program crash
        
        PID:4320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 192
        6⤵
        Program crash
        
        PID:4784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4360
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 192
        6⤵
        Program crash
        
        PID:2140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 192
        6⤵
        Program crash
        
        PID:4064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 192
        6⤵
        Program crash
        
        PID:4512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 200
        6⤵
        Program crash
        
        PID:2236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 192
        6⤵
        Program crash
        
        PID:1804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 192
        6⤵
        Program crash
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 192
        6⤵
        Program crash
        
        PID:3996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 192
        6⤵
        Program crash
        
        PID:732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 192
        6⤵
        Program crash
        
        PID:448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 192
        6⤵
        Program crash
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3684
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 192
        6⤵
        Program crash
        
        PID:3704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 192
        6⤵
        Program crash
        
        PID:2560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 192
        6⤵
        Program crash
        
        PID:3216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 192
        6⤵
        Program crash
        
        PID:3916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 192
        6⤵
        Program crash
        
        PID:1364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 192
        6⤵
        Program crash
        
        PID:1976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 192
        6⤵
        Program crash
        
        PID:4120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 192
        6⤵
        Program crash
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 192
        6⤵
        Program crash
        
        PID:2344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 192
        6⤵
        Program crash
        
        PID:3484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 192
        6⤵
        Program crash
        
        PID:2928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 192
        6⤵
        Program crash
        
        PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 192
        6⤵
        Program crash
        
        PID:2332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 200
        6⤵
        Program crash
        
        PID:1092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 192
        6⤵
        Program crash
        
        PID:4920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 192
        6⤵
        Program crash
        
        PID:1844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 192
        6⤵
        Program crash
        
        PID:1788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 192
        6⤵
        Program crash
        
        PID:560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 192
        6⤵
        Program crash
        
        PID:1644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 192
        6⤵
        Program crash
        
        PID:4792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 192
        6⤵
        Program crash
        
        PID:1948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3320
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 192
        6⤵
        Program crash
        
        PID:3256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 192
        6⤵
        Program crash
        
        PID:3936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 192
        6⤵
        Program crash
        
        PID:4004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 192
        6⤵
        Program crash
        
        PID:2528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 192
        6⤵
        Program crash
        
        PID:5100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 192
        6⤵
        Program crash
        
        PID:808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 192
        6⤵
        Program crash
        
        PID:4228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 192
        6⤵
        Program crash
        
        PID:4444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 192
        6⤵
        Program crash
        
        PID:1196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 192
        6⤵
        Program crash
        
        PID:4560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 192
        6⤵
        Program crash
        
        PID:1464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 192
        6⤵
        Program crash
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 192
        6⤵
        Program crash
        
        PID:4336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 192
        6⤵
        Program crash
        
        PID:3192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 192
        6⤵
        Program crash
        
        PID:5072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 192
        6⤵
        Program crash
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 192
        6⤵
        Program crash
        
        PID:4116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 192
        6⤵
        Program crash
        
        PID:3600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 192
        6⤵
        Program crash
        
        PID:4324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 192
        6⤵
        Program crash
        
        PID:2832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 192
        6⤵
        Program crash
        
        PID:852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 192
        6⤵
        Program crash
        
        PID:1808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 192
        6⤵
        Program crash
        
        PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 192
        6⤵
        Program crash
        
        PID:2844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 192
        6⤵
        Program crash
        
        PID:4656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 192
        6⤵
        
        PID:2420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 192
        6⤵
        
        PID:4408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 192
        6⤵
        
        PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 192
        6⤵
        
        PID:2304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 192
        6⤵
        
        PID:1700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 192
        6⤵
        
        PID:704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 192
        6⤵
        
        PID:2224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4804
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 192
        6⤵
        
        PID:3632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 192
        6⤵
        
        PID:3684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 192
        6⤵
        
        PID:2324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 192
        6⤵
        
        PID:2008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 192
        6⤵
        
        PID:2560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 192
        6⤵
        
        PID:3444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 192
        6⤵
        
        PID:2180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 192
        6⤵
        
        PID:4852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 192
        6⤵
        
        PID:2676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 192
        6⤵
        
        PID:2612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 192
        6⤵
        
        PID:3424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 192
        6⤵
        
        PID:5100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 192
        6⤵
        
        PID:3948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2236
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 192
        6⤵
        
        PID:2344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 192
        6⤵
        
        PID:4436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 192
        6⤵
        
        PID:2696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 192
        6⤵
        
        PID:1060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 192
        6⤵
        
        PID:4124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 192
        6⤵
        
        PID:4044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 192
        6⤵
        
        PID:2840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 192
        6⤵
        
        PID:548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 192
        6⤵
        
        PID:1392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 192
        6⤵
        
        PID:3680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 192
        6⤵
        
        PID:1420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 192
        6⤵
        
        PID:224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 200
        6⤵
        
        PID:2560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 192
        6⤵
        
        PID:3444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 192
        6⤵
        
        PID:2372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 192
        6⤵
        
        PID:4852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 192
        6⤵
        
        PID:3936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 192
        6⤵
        
        PID:3504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 192
        6⤵
        
        PID:3580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 192
        6⤵
        
        PID:744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 192
        6⤵
        
        PID:2620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 192
        6⤵
        
        PID:1732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 192
        6⤵
        
        PID:432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 192
        6⤵
        
        PID:1120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 192
        6⤵
        
        PID:4460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 192
        6⤵
        
        PID:1112
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:3788
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5032 -ip 5032
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4352 -ip 4352
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1420 -ip 1420
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3884 -ip 3884
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4796 -ip 4796
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1480 -ip 1480
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4124 -ip 4124
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3504 -ip 3504
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4360 -ip 4360
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4916 -ip 4916
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3104 -ip 3104
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1732 -ip 1732
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4756 -ip 4756
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 916 -ip 916
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1920 -ip 1920
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4028 -ip 4028
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3752 -ip 3752
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1844 -ip 1844
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3684 -ip 3684
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4668 -ip 4668
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 944 -ip 944
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4316 -ip 4316
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4004 -ip 4004
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2588 -ip 2588
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3688 -ip 3688
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3780 -ip 3780
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4356 -ip 4356
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4436 -ip 4436
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4092 -ip 4092
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2840 -ip 2840
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1188 -ip 1188
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4224 -ip 4224
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4680 -ip 4680
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3716 -ip 3716
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4476 -ip 4476
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5072 -ip 5072
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5024 -ip 5024
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 884 -ip 884
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3320 -ip 3320
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4352 -ip 4352
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2832 -ip 2832
1⤵
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4008 -ip 4008
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2140 -ip 2140
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4120 -ip 4120
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3892 -ip 3892
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1120 -ip 1120
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3292 -ip 3292
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2928 -ip 2928
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4404 -ip 4404
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3796 -ip 3796
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4680 -ip 4680
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4432 -ip 4432
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3420 -ip 3420
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1548 -ip 1548
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3916 -ip 3916
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1680 -ip 1680
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3912 -ip 3912
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3488 -ip 3488
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3160 -ip 3160
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4344 -ip 4344
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3768 -ip 3768
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4120 -ip 4120
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4572 -ip 4572
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2636 -ip 2636
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3212 -ip 3212
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2416 -ip 2416
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1984 -ip 1984
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2028 -ip 2028
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 732 -ip 732
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2452 -ip 2452
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4804 -ip 4804
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2120 -ip 2120
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1348 -ip 1348
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2076 -ip 2076
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2592 -ip 2592
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4288 -ip 4288
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4316 -ip 4316
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3256 -ip 3256
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3936 -ip 3936
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2880 -ip 2880
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3580 -ip 3580
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1512 -ip 1512
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3104 -ip 3104
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2236 -ip 2236
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3008 -ip 3008
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4924 -ip 4924
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3484 -ip 3484
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4844 -ip 4844
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1984 -ip 1984
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2028 -ip 2028
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4224 -ip 4224
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5048 -ip 5048
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3192 -ip 3192
1⤵
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1644 -ip 1644
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3216 -ip 3216
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4696 -ip 4696
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 884 -ip 884
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2480 -ip 2480
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3508 -ip 3508
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 364 -ip 364
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4944 -ip 4944
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2468 -ip 2468
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3100 -ip 3100
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5100 -ip 5100
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3948 -ip 3948
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2344 -ip 2344
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4436 -ip 4436
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2696 -ip 2696
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3464 -ip 3464
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
7dd8d10794bc0b3b57785f0972bd1fb2

SHA1
dd6dfe9275987f83323979ddf528e28ac193134f

SHA256
00b052523dda30b598f68e914767c59bd4b0ed0adac7fd516f164ecb3960e541

SHA512
26323e65f6f54e0da8e0febc24befa9deec7a605155bd0ea6ea5d73bb2390aa58e0c312b9399044ee0a21d964e443d367a9e56605cd88a1276116f4578d387c6

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
259912a2345e57c097de0713263feb1b

SHA1
48cedb0d71c864292ca0c2c3e60f3ff64fef8287

SHA256
937088fe34e5f9cce07806f9caac30441e698dbd0fbb0b9797597ea87fa274c4

SHA512
9d79a1ac55cf1a7f79ee2618d855b7a246345819f50f6f792e4c6be36771e7d41298277bffe17d49ce3593f789daa2e3c0bad8c6d71d63d79fd1fea6f2216afb

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
355235335a50d0f4dcc495243a66ccdc

SHA1
df2a092068c9c2c013c6de6d74e456f826cd1c34

SHA256
ff41065762c3f596b45946225e65aba5db296759e4f86bb5ca3215b94e1479c7

SHA512
3da0452895c09c232f2fdb068d3b63d0a03c74c0d2d1070525bbe5fc0207adbcb82cdacf4fc85c6c9e2fb3ae6d6cd2d29ff67c77c4d20a212987b1130178480b

Download Submit
memory/916-94-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/964-33-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/964-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/964-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/964-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1420-75-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1984-163-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1984-168-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1984-164-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2044-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2044-24-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2044-6-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2044-3-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2044-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2044-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2044-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2140-130-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2168-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-57-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2892-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2892-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2892-36-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2892-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3052-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3052-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3052-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3504-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3780-108-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3788-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3788-82-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3884-77-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4320-166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4352-73-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4360-87-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4476-121-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4692-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4692-86-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4692-159-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4692-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4924-147-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5032-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5032-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download