warzonerat | 2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
Size

8.2MB
MD5

6cbf98c1158d231addc657759cf75540
SHA1

86e2108ebc489b13b4971103382954a0042bee55
SHA256

2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75
SHA512

a0d25d81be2ee7709a84d0a56f5b34c8a256bb2d3ae7b025e547a3ea6c8f02c38882ead9113928f2c50fbd02c973ab2d69b175df794edce2afca13080fe0a764
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecv:V8e8e8f8e8e8I

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4556	explorer.exe
3744	explorer.exe
2700	spoolsv.exe
3940	spoolsv.exe
3212	spoolsv.exe
2620	spoolsv.exe
4436	spoolsv.exe
2580	spoolsv.exe
1380	spoolsv.exe
4780	spoolsv.exe
1096	spoolsv.exe
4652	spoolsv.exe
4912	spoolsv.exe
1928	spoolsv.exe
2392	spoolsv.exe
556	spoolsv.exe
2768	spoolsv.exe
1000	spoolsv.exe
2980	spoolsv.exe
2424	spoolsv.exe
4476	spoolsv.exe
2472	spoolsv.exe
3284	spoolsv.exe
916	spoolsv.exe
4904	spoolsv.exe
2108	spoolsv.exe
1252	spoolsv.exe
4836	spoolsv.exe
744	spoolsv.exe
3536	spoolsv.exe
3416	spoolsv.exe
4564	spoolsv.exe
464	spoolsv.exe
1472	spoolsv.exe
3004	spoolsv.exe
2956	spoolsv.exe
2032	spoolsv.exe
2224	spoolsv.exe
1856	spoolsv.exe
3692	spoolsv.exe
1152	spoolsv.exe
2772	spoolsv.exe
3704	spoolsv.exe
1252	spoolsv.exe
3068	spoolsv.exe
4468	spoolsv.exe
3516	spoolsv.exe
3308	spoolsv.exe
3404	spoolsv.exe
1476	spoolsv.exe
1372	spoolsv.exe
2328	spoolsv.exe
2544	spoolsv.exe
3228	spoolsv.exe
3756	spoolsv.exe
372	spoolsv.exe
1572	spoolsv.exe
3584	spoolsv.exe
376	spoolsv.exe
2040	spoolsv.exe
1436	spoolsv.exe
2276	spoolsv.exe
2108	spoolsv.exe
4632	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exeexplorer.exe

description	pid	process	target process
PID 2336 set thread context of 1608	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
PID 2336 set thread context of 2552	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	diskperf.exe
PID 4556 set thread context of 3744	4556	explorer.exe	explorer.exe
PID 4556 set thread context of 1740	4556	explorer.exe	diskperf.exe

Drops file in Windows directory 3 IoCs

Processes:

2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2128	3940	WerFault.exe	spoolsv.exe
1448	3212	WerFault.exe	spoolsv.exe
4076	2620	WerFault.exe	spoolsv.exe
1360	4436	WerFault.exe	spoolsv.exe
1876	2580	WerFault.exe	spoolsv.exe
4716	1380	WerFault.exe	spoolsv.exe
4504	4780	WerFault.exe	spoolsv.exe
720	1096	WerFault.exe	spoolsv.exe
1192	4652	WerFault.exe	spoolsv.exe
3416	4912	WerFault.exe	spoolsv.exe
4564	1928	WerFault.exe	spoolsv.exe
464	2392	WerFault.exe	spoolsv.exe
4812	556	WerFault.exe	spoolsv.exe
1020	2768	WerFault.exe	spoolsv.exe
3228	1000	WerFault.exe	spoolsv.exe
2420	2980	WerFault.exe	spoolsv.exe
1076	2424	WerFault.exe	spoolsv.exe
2516	4476	WerFault.exe	spoolsv.exe
100	2472	WerFault.exe	spoolsv.exe
4344	3284	WerFault.exe	spoolsv.exe
3420	916	WerFault.exe	spoolsv.exe
4808	4904	WerFault.exe	spoolsv.exe
1300	2108	WerFault.exe	spoolsv.exe
1588	1252	WerFault.exe	spoolsv.exe
2952	4836	WerFault.exe	spoolsv.exe
4692	744	WerFault.exe	spoolsv.exe
3928	3536	WerFault.exe	spoolsv.exe
2720	3416	WerFault.exe	spoolsv.exe
3292	4564	WerFault.exe	spoolsv.exe
2104	464	WerFault.exe	spoolsv.exe
1104	1472	WerFault.exe	spoolsv.exe
1924	3004	WerFault.exe	spoolsv.exe
1572	2956	WerFault.exe	spoolsv.exe
232	2032	WerFault.exe	spoolsv.exe
4240	2224	WerFault.exe	spoolsv.exe
2984	1856	WerFault.exe	spoolsv.exe
5020	3692	WerFault.exe	spoolsv.exe
4808	1152	WerFault.exe	spoolsv.exe
3760	2772	WerFault.exe	spoolsv.exe
4632	3704	WerFault.exe	spoolsv.exe
2664	1252	WerFault.exe	spoolsv.exe
1296	3068	WerFault.exe	spoolsv.exe
3256	4468	WerFault.exe	spoolsv.exe
468	3516	WerFault.exe	spoolsv.exe
2232	3308	WerFault.exe	spoolsv.exe
5112	3404	WerFault.exe	spoolsv.exe
1268	1476	WerFault.exe	spoolsv.exe
1376	1372	WerFault.exe	spoolsv.exe
960	2328	WerFault.exe	spoolsv.exe
3580	2544	WerFault.exe	spoolsv.exe
4216	3228	WerFault.exe	spoolsv.exe
3004	3756	WerFault.exe	spoolsv.exe
700	372	WerFault.exe	spoolsv.exe
4852	1572	WerFault.exe	spoolsv.exe
4352	3584	WerFault.exe	spoolsv.exe
4240	376	WerFault.exe	spoolsv.exe
3080	2040	WerFault.exe	spoolsv.exe
5020	1436	WerFault.exe	spoolsv.exe
1152	2276	WerFault.exe	spoolsv.exe
5064	2108	WerFault.exe	spoolsv.exe
2592	4632	WerFault.exe	spoolsv.exe
3424	1708	WerFault.exe	spoolsv.exe
1156	3068	WerFault.exe	spoolsv.exe
3312	3720	WerFault.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

spoolsv.exe2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exeexplorer.exe

pid	process
1608	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
1608	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exeexplorer.exe

pid	process
1608	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
1608	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe
3744	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2336 wrote to memory of 1608	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
PID 2336 wrote to memory of 1608	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
PID 2336 wrote to memory of 1608	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
PID 2336 wrote to memory of 1608	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
PID 2336 wrote to memory of 1608	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
PID 2336 wrote to memory of 1608	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
PID 2336 wrote to memory of 1608	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
PID 2336 wrote to memory of 1608	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
PID 2336 wrote to memory of 2552	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	diskperf.exe
PID 2336 wrote to memory of 2552	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	diskperf.exe
PID 2336 wrote to memory of 2552	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	diskperf.exe
PID 2336 wrote to memory of 2552	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	diskperf.exe
PID 2336 wrote to memory of 2552	2336	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	diskperf.exe
PID 1608 wrote to memory of 4556	1608	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	explorer.exe
PID 1608 wrote to memory of 4556	1608	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	explorer.exe
PID 1608 wrote to memory of 4556	1608	2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe	explorer.exe
PID 4556 wrote to memory of 3744	4556	explorer.exe	explorer.exe
PID 4556 wrote to memory of 3744	4556	explorer.exe	explorer.exe
PID 4556 wrote to memory of 3744	4556	explorer.exe	explorer.exe
PID 4556 wrote to memory of 3744	4556	explorer.exe	explorer.exe
PID 4556 wrote to memory of 3744	4556	explorer.exe	explorer.exe
PID 4556 wrote to memory of 3744	4556	explorer.exe	explorer.exe
PID 4556 wrote to memory of 3744	4556	explorer.exe	explorer.exe
PID 4556 wrote to memory of 3744	4556	explorer.exe	explorer.exe
PID 4556 wrote to memory of 1740	4556	explorer.exe	diskperf.exe
PID 4556 wrote to memory of 1740	4556	explorer.exe	diskperf.exe
PID 4556 wrote to memory of 1740	4556	explorer.exe	diskperf.exe
PID 4556 wrote to memory of 1740	4556	explorer.exe	diskperf.exe
PID 4556 wrote to memory of 1740	4556	explorer.exe	diskperf.exe
PID 3744 wrote to memory of 2700	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 2700	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 2700	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 3940	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 3940	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 3940	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 3212	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 3212	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 3212	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 2620	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 2620	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 2620	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4436	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4436	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4436	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 2580	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 2580	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 2580	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 1380	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 1380	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 1380	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4780	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4780	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4780	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 1096	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 1096	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 1096	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4652	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4652	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4652	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4912	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4912	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 4912	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 1928	3744	explorer.exe	spoolsv.exe
PID 3744 wrote to memory of 1928	3744	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
"C:\Users\Admin\AppData\Local\Temp\2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe
  "C:\Users\Admin\AppData\Local\Temp\2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1608
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 192
        6⤵
        Program crash
        
        PID:2128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 192
        6⤵
        Program crash
        
        PID:1448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 192
        6⤵
        Program crash
        
        PID:4076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 192
        6⤵
        Program crash
        
        PID:1360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 192
        6⤵
        Program crash
        
        PID:1876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1380
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 192
        6⤵
        Program crash
        
        PID:4716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 192
        6⤵
        Program crash
        
        PID:4504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 192
        6⤵
        Program crash
        
        PID:720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 192
        6⤵
        Program crash
        
        PID:1192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 192
        6⤵
        Program crash
        
        PID:3416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 192
        6⤵
        Program crash
        
        PID:4564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2392
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 192
        6⤵
        Program crash
        
        PID:464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 192
        6⤵
        Program crash
        
        PID:4812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 192
        6⤵
        Program crash
        
        PID:1020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 192
        6⤵
        Program crash
        
        PID:3228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 192
        6⤵
        Program crash
        
        PID:2420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 192
        6⤵
        Program crash
        
        PID:1076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 192
        6⤵
        Program crash
        
        PID:2516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 192
        6⤵
        Program crash
        
        PID:100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3284
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 192
        6⤵
        Program crash
        
        PID:4344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 192
        6⤵
        Program crash
        
        PID:3420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 192
        6⤵
        Program crash
        
        PID:4808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 192
        6⤵
        Program crash
        
        PID:1300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1252
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 192
        6⤵
        Program crash
        
        PID:1588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4836
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 192
        6⤵
        Program crash
        
        PID:2952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 192
        6⤵
        Program crash
        
        PID:4692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 192
        6⤵
        Program crash
        
        PID:3928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 192
        6⤵
        Program crash
        
        PID:2720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 192
        6⤵
        Program crash
        
        PID:3292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 192
        6⤵
        Program crash
        
        PID:2104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 200
        6⤵
        Program crash
        
        PID:1104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 192
        6⤵
        Program crash
        
        PID:1924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 192
        6⤵
        Program crash
        
        PID:1572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 192
        6⤵
        Program crash
        
        PID:232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 192
        6⤵
        Program crash
        
        PID:4240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 192
        6⤵
        Program crash
        
        PID:2984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 192
        6⤵
        Program crash
        
        PID:5020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1152
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 192
        6⤵
        Program crash
        
        PID:4808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 192
        6⤵
        Program crash
        
        PID:3760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 192
        6⤵
        Program crash
        
        PID:4632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1252
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 192
        6⤵
        Program crash
        
        PID:2664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 192
        6⤵
        Program crash
        
        PID:1296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 192
        6⤵
        Program crash
        
        PID:3256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 192
        6⤵
        Program crash
        
        PID:468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3308
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 192
        6⤵
        Program crash
        
        PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 192
        6⤵
        Program crash
        
        PID:5112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 192
        6⤵
        Program crash
        
        PID:1268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 192
        6⤵
        Program crash
        
        PID:1376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 192
        6⤵
        Program crash
        
        PID:960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 192
        6⤵
        Program crash
        
        PID:3580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 192
        6⤵
        Program crash
        
        PID:4216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 192
        6⤵
        Program crash
        
        PID:3004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 192
        6⤵
        Program crash
        
        PID:700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 192
        6⤵
        Program crash
        
        PID:4852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 192
        6⤵
        Program crash
        
        PID:4352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 192
        6⤵
        Program crash
        
        PID:4240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 192
        6⤵
        Program crash
        
        PID:3080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 192
        6⤵
        Program crash
        
        PID:5020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2276
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 192
        6⤵
        Program crash
        
        PID:1152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 192
        6⤵
        Program crash
        
        PID:5064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 192
        6⤵
        Program crash
        
        PID:2592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 192
        6⤵
        Program crash
        
        PID:3424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 192
        6⤵
        Program crash
        
        PID:1156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 192
        6⤵
        Program crash
        
        PID:3312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 192
        6⤵
        
        PID:744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 192
        6⤵
        
        PID:3308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 192
        6⤵
        
        PID:5112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 192
        6⤵
        
        PID:1268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 192
        6⤵
        
        PID:2556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 192
        6⤵
        
        PID:832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 192
        6⤵
        
        PID:2908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 192
        6⤵
        
        PID:112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 192
        6⤵
        
        PID:1076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 192
        6⤵
        
        PID:4820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 192
        6⤵
        
        PID:2516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 200
        6⤵
        
        PID:4876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 192
        6⤵
        
        PID:2000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 192
        6⤵
        
        PID:2224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 192
        6⤵
        
        PID:1316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 192
        6⤵
        
        PID:3692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 192
        6⤵
        
        PID:4076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 192
        6⤵
        
        PID:1588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 192
        6⤵
        
        PID:4800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 192
        6⤵
        
        PID:3556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 192
        6⤵
        
        PID:1480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 192
        6⤵
        
        PID:1700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 192
        6⤵
        
        PID:2336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 192
        6⤵
        
        PID:704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 192
        6⤵
        
        PID:2376
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1740
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3940 -ip 3940
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3212 -ip 3212
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2620 -ip 2620
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4436 -ip 4436
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2580 -ip 2580
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1380 -ip 1380
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4780 -ip 4780
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1096 -ip 1096
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4652 -ip 4652
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4912 -ip 4912
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1928 -ip 1928
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2392 -ip 2392
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 556 -ip 556
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2768 -ip 2768
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1000 -ip 1000
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2980 -ip 2980
1⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2424 -ip 2424
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4476 -ip 4476
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2472 -ip 2472
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3284 -ip 3284
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 916 -ip 916
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4904 -ip 4904
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2108 -ip 2108
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1252 -ip 1252
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4836 -ip 4836
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 744 -ip 744
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3536 -ip 3536
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3416 -ip 3416
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4564 -ip 4564
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 464 -ip 464
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1472 -ip 1472
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3004 -ip 3004
1⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2956 -ip 2956
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2032 -ip 2032
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2224 -ip 2224
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1856 -ip 1856
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3692 -ip 3692
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1152 -ip 1152
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2772 -ip 2772
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3704 -ip 3704
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1252 -ip 1252
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3068 -ip 3068
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4468 -ip 4468
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3516 -ip 3516
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3308 -ip 3308
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3404 -ip 3404
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1476 -ip 1476
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1372 -ip 1372
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2328 -ip 2328
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2544 -ip 2544
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3228 -ip 3228
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3756 -ip 3756
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 372 -ip 372
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1572 -ip 1572
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3584 -ip 3584
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 376 -ip 376
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2040 -ip 2040
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1436 -ip 1436
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2276 -ip 2276
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2108 -ip 2108
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4632 -ip 4632
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1708 -ip 1708
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3068 -ip 3068
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3720 -ip 3720
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 720 -ip 720
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4060 -ip 4060
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3928 -ip 3928
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4132 -ip 4132
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3292 -ip 3292
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3176 -ip 3176
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1652 -ip 1652
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2036 -ip 2036
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1924 -ip 1924
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1168 -ip 1168
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 372 -ip 372
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4852 -ip 4852
1⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4352 -ip 4352
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3456 -ip 3456
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2708 -ip 2708
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4636 -ip 4636
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1900 -ip 1900
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2004 -ip 2004
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 396 -ip 396
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3952 -ip 3952
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4556 -ip 4556
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4468 -ip 4468
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 468 -ip 468
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1988 -ip 1988
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 940 -ip 940
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
6cbf98c1158d231addc657759cf75540

SHA1
86e2108ebc489b13b4971103382954a0042bee55

SHA256
2f68b99b7e23a3d6f4255a64e0bfbf6c0393716f59892ff248866d56021daa75

SHA512
a0d25d81be2ee7709a84d0a56f5b34c8a256bb2d3ae7b025e547a3ea6c8f02c38882ead9113928f2c50fbd02c973ab2d69b175df794edce2afca13080fe0a764

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
fdaa3557c345bd1d0629d723ef84dd34

SHA1
d73c512a111f28bb7f27365cdcc91f416cdb99ec

SHA256
7b77e1b78108d928ca8befe0753ba2c724bd0ae2aa796fc00cda35f8a794a75a

SHA512
e67c0e2a28dc2a80ab23bd170254f328230f037162a082b1614f94fd6dd9a7f5b5cac4f5bc2753aa7bcbd7e612b63ab3d56a7bfe61fd16818c72b8c7077b8707

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
1bff7ea8ba3aa3951ecd14054d2665c6

SHA1
98e134758ea269b6d723890bed93e46f65b4a261

SHA256
c4c74840329bb36bf5b7acec552827c5f59a8adc27dae6215708dafa903c9dcf

SHA512
f6c52af96b6fc7178046bb4a0baa4c2a7a6e4eb0a45e0300b23ef685d24250aeb7c97980b8c6752d9f0ce17aa8d4e1b1d3fb45495b9dfee5b5376d47d4505055

Download Submit
memory/1608-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-33-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/1608-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2336-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-22-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-6-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2336-3-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2392-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2552-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2552-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2552-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2700-83-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2700-67-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2700-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2700-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3212-74-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3284-98-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3516-126-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3744-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3940-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4468-124-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4556-36-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4556-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4556-29-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4556-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4556-59-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4556-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4652-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4852-142-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download