warzonerat | acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
Size

8.2MB
MD5

289d273ac47a0259b639ff6d4782cab0
SHA1

fed3a1db04bb8fe8104ff15d984d02cdbd0e360d
SHA256

acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2
SHA512

384bfe5eee39302ac9795550a5bdcbeecf409bc7eb92d5c55aa293ba56f6acbbc48585affd03ea124cb5a2b8d5aaa5d1741c3b98387325253cc22892a6b5b735
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecX:V8e8e8f8e8e8s

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023baf-27.dat	warzonerat
behavioral2/files/0x000b000000023bad-47.dat	warzonerat
behavioral2/files/0x000d000000023bad-63.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000c000000023baf-27.dat	aspack_v212_v242
behavioral2/files/0x000b000000023bad-47.dat	aspack_v212_v242
behavioral2/files/0x000d000000023bad-63.dat	aspack_v212_v242

Executes dropped EXE 64 IoCs

pid	Process
1572	explorer.exe
3556	explorer.exe
2396	spoolsv.exe
2904	spoolsv.exe
4840	spoolsv.exe
224	spoolsv.exe
3720	spoolsv.exe
3080	spoolsv.exe
3312	spoolsv.exe
3280	spoolsv.exe
2584	spoolsv.exe
2796	spoolsv.exe
3940	spoolsv.exe
3144	spoolsv.exe
3240	spoolsv.exe
2124	spoolsv.exe
2464	spoolsv.exe
3528	spoolsv.exe
404	spoolsv.exe
4296	spoolsv.exe
2656	spoolsv.exe
3100	spoolsv.exe
1576	spoolsv.exe
904	spoolsv.exe
2036	spoolsv.exe
2760	spoolsv.exe
1920	spoolsv.exe
4272	spoolsv.exe
1268	spoolsv.exe
4576	spoolsv.exe
2896	spoolsv.exe
452	spoolsv.exe
400	spoolsv.exe
4516	spoolsv.exe
4764	spoolsv.exe
1180	spoolsv.exe
3620	spoolsv.exe
4908	spoolsv.exe
1572	spoolsv.exe
2248	spoolsv.exe
548	spoolsv.exe
620	spoolsv.exe
908	spoolsv.exe
668	spoolsv.exe
1536	spoolsv.exe
2556	spoolsv.exe
4044	spoolsv.exe
2544	spoolsv.exe
3096	spoolsv.exe
2004	spoolsv.exe
4076	spoolsv.exe
3812	spoolsv.exe
1028	spoolsv.exe
5100	spoolsv.exe
4296	spoolsv.exe
1776	spoolsv.exe
3740	spoolsv.exe
3552	spoolsv.exe
5068	spoolsv.exe
3540	spoolsv.exe
1780	spoolsv.exe
2884	spoolsv.exe
3416	spoolsv.exe
1920	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 3112	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	102
PID 1540 set thread context of 3016	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	103
PID 1572 set thread context of 3556	1572	explorer.exe	106
PID 1572 set thread context of 4636	1572	explorer.exe	107

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
536	2904	WerFault.exe	109
2276	4840	WerFault.exe	114
1920	224	WerFault.exe	117
1992	3720	WerFault.exe	120
908	3080	WerFault.exe	123
4260	3312	WerFault.exe	126
324	3280	WerFault.exe	129
3692	2584	WerFault.exe	132
768	2796	WerFault.exe	135
828	3940	WerFault.exe	138
4000	3144	WerFault.exe	141
3464	3240	WerFault.exe	144
4076	2124	WerFault.exe	147
4268	2464	WerFault.exe	150
1516	3528	WerFault.exe	153
2524	404	WerFault.exe	156
2304	4296	WerFault.exe	159
4968	2656	WerFault.exe	162
4248	3100	WerFault.exe	165
4772	1576	WerFault.exe	168
2428	904	WerFault.exe	171
4144	2036	WerFault.exe	174
3436	2760	WerFault.exe	178
3212	1920	WerFault.exe	182
2380	4272	WerFault.exe	185
2432	1268	WerFault.exe	188
4524	4576	WerFault.exe	192
3780	2896	WerFault.exe	196
4832	452	WerFault.exe	199
1068	400	WerFault.exe	202
5100	4516	WerFault.exe	205
4920	4764	WerFault.exe	210
1804	1180	WerFault.exe	214
3224	3620	WerFault.exe	217
736	4908	WerFault.exe	220
2728	1572	WerFault.exe	223
804	2248	WerFault.exe	226
4616	548	WerFault.exe	229
224	620	WerFault.exe	232
2668	908	WerFault.exe	235
3724	668	WerFault.exe	238
4644	1536	WerFault.exe	241
4660	2556	WerFault.exe	244
1272	4044	WerFault.exe	247
2148	2544	WerFault.exe	250
2028	3096	WerFault.exe	253
4528	2004	WerFault.exe	256
828	4076	WerFault.exe	259
3844	3812	WerFault.exe	262
2220	1028	WerFault.exe	265
5032	5100	WerFault.exe	268
4860	4296	WerFault.exe	271
2656	1776	WerFault.exe	274
216	3740	WerFault.exe	277
4876	3552	WerFault.exe	280
4292	5068	WerFault.exe	283
4816	3540	WerFault.exe	286
2508	1780	WerFault.exe	289
2328	2884	WerFault.exe	292
2868	3416	WerFault.exe	295
224	1920	WerFault.exe	298
4996	4500	WerFault.exe	301
1800	3848	WerFault.exe	304
2904	1700	WerFault.exe	307

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3112	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
3112	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3112	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
3112	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 3112	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	102
PID 1540 wrote to memory of 3112	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	102
PID 1540 wrote to memory of 3112	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	102
PID 1540 wrote to memory of 3112	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	102
PID 1540 wrote to memory of 3112	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	102
PID 1540 wrote to memory of 3112	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	102
PID 1540 wrote to memory of 3112	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	102
PID 1540 wrote to memory of 3112	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	102
PID 1540 wrote to memory of 3016	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	103
PID 1540 wrote to memory of 3016	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	103
PID 1540 wrote to memory of 3016	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	103
PID 1540 wrote to memory of 3016	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	103
PID 1540 wrote to memory of 3016	1540	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	103
PID 3112 wrote to memory of 1572	3112	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	104
PID 3112 wrote to memory of 1572	3112	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	104
PID 3112 wrote to memory of 1572	3112	acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe	104
PID 1572 wrote to memory of 3556	1572	explorer.exe	106
PID 1572 wrote to memory of 3556	1572	explorer.exe	106
PID 1572 wrote to memory of 3556	1572	explorer.exe	106
PID 1572 wrote to memory of 3556	1572	explorer.exe	106
PID 1572 wrote to memory of 3556	1572	explorer.exe	106
PID 1572 wrote to memory of 3556	1572	explorer.exe	106
PID 1572 wrote to memory of 3556	1572	explorer.exe	106
PID 1572 wrote to memory of 3556	1572	explorer.exe	106
PID 1572 wrote to memory of 4636	1572	explorer.exe	107
PID 1572 wrote to memory of 4636	1572	explorer.exe	107
PID 1572 wrote to memory of 4636	1572	explorer.exe	107
PID 1572 wrote to memory of 4636	1572	explorer.exe	107
PID 1572 wrote to memory of 4636	1572	explorer.exe	107
PID 3556 wrote to memory of 2396	3556	explorer.exe	108
PID 3556 wrote to memory of 2396	3556	explorer.exe	108
PID 3556 wrote to memory of 2396	3556	explorer.exe	108
PID 3556 wrote to memory of 2904	3556	explorer.exe	109
PID 3556 wrote to memory of 2904	3556	explorer.exe	109
PID 3556 wrote to memory of 2904	3556	explorer.exe	109
PID 3556 wrote to memory of 4840	3556	explorer.exe	114
PID 3556 wrote to memory of 4840	3556	explorer.exe	114
PID 3556 wrote to memory of 4840	3556	explorer.exe	114
PID 3556 wrote to memory of 224	3556	explorer.exe	117
PID 3556 wrote to memory of 224	3556	explorer.exe	117
PID 3556 wrote to memory of 224	3556	explorer.exe	117
PID 3556 wrote to memory of 3720	3556	explorer.exe	120
PID 3556 wrote to memory of 3720	3556	explorer.exe	120
PID 3556 wrote to memory of 3720	3556	explorer.exe	120
PID 3556 wrote to memory of 3080	3556	explorer.exe	123
PID 3556 wrote to memory of 3080	3556	explorer.exe	123
PID 3556 wrote to memory of 3080	3556	explorer.exe	123
PID 3556 wrote to memory of 3312	3556	explorer.exe	126
PID 3556 wrote to memory of 3312	3556	explorer.exe	126
PID 3556 wrote to memory of 3312	3556	explorer.exe	126
PID 3556 wrote to memory of 3280	3556	explorer.exe	129
PID 3556 wrote to memory of 3280	3556	explorer.exe	129
PID 3556 wrote to memory of 3280	3556	explorer.exe	129
PID 3556 wrote to memory of 2584	3556	explorer.exe	132
PID 3556 wrote to memory of 2584	3556	explorer.exe	132
PID 3556 wrote to memory of 2584	3556	explorer.exe	132
PID 3556 wrote to memory of 2796	3556	explorer.exe	135
PID 3556 wrote to memory of 2796	3556	explorer.exe	135
PID 3556 wrote to memory of 2796	3556	explorer.exe	135
PID 3556 wrote to memory of 3940	3556	explorer.exe	138
PID 3556 wrote to memory of 3940	3556	explorer.exe	138
PID 3556 wrote to memory of 3940	3556	explorer.exe	138
PID 3556 wrote to memory of 3144	3556	explorer.exe	141
PID 3556 wrote to memory of 3144	3556	explorer.exe	141

C:\Users\Admin\AppData\Local\Temp\acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
"C:\Users\Admin\AppData\Local\Temp\acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe
  "C:\Users\Admin\AppData\Local\Temp\acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3112
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 192
        6⤵
        Program crash
        
        PID:536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 192
        6⤵
        Program crash
        
        PID:2276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 192
        6⤵
        Program crash
        
        PID:1920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 192
        6⤵
        Program crash
        
        PID:1992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 192
        6⤵
        Program crash
        
        PID:908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3312
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 192
        6⤵
        Program crash
        
        PID:4260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 192
        6⤵
        Program crash
        
        PID:324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 192
        6⤵
        Program crash
        
        PID:3692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 192
        6⤵
        Program crash
        
        PID:768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 192
        6⤵
        Program crash
        
        PID:828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 192
        6⤵
        Program crash
        
        PID:4000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 192
        6⤵
        Program crash
        
        PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 192
        6⤵
        Program crash
        
        PID:4076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 192
        6⤵
        Program crash
        
        PID:4268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 192
        6⤵
        Program crash
        
        PID:1516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 192
        6⤵
        Program crash
        
        PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 192
        6⤵
        Program crash
        
        PID:2304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 192
        6⤵
        Program crash
        
        PID:4968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 192
        6⤵
        Program crash
        
        PID:4248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 192
        6⤵
        Program crash
        
        PID:4772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 192
        6⤵
        Program crash
        
        PID:2428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 192
        6⤵
        Program crash
        
        PID:4144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2760
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 192
        6⤵
        Program crash
        
        PID:3436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 192
        6⤵
        Program crash
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 192
        6⤵
        Program crash
        
        PID:2380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1268
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 192
        6⤵
        Program crash
        
        PID:2432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 192
        6⤵
        Program crash
        
        PID:4524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2896
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 192
        6⤵
        Program crash
        
        PID:3780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 192
        6⤵
        Program crash
        
        PID:4832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 192
        6⤵
        Program crash
        
        PID:1068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 192
        6⤵
        Program crash
        
        PID:5100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 192
        6⤵
        Program crash
        
        PID:4920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 192
        6⤵
        Program crash
        
        PID:1804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 192
        6⤵
        Program crash
        
        PID:3224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 192
        6⤵
        Program crash
        
        PID:736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 192
        6⤵
        Program crash
        
        PID:2728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 192
        6⤵
        Program crash
        
        PID:804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 192
        6⤵
        Program crash
        
        PID:4616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 192
        6⤵
        Program crash
        
        PID:224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 192
        6⤵
        Program crash
        
        PID:2668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 192
        6⤵
        Program crash
        
        PID:3724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 192
        6⤵
        Program crash
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 192
        6⤵
        Program crash
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 192
        6⤵
        Program crash
        
        PID:1272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 192
        6⤵
        Program crash
        
        PID:2148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 192
        6⤵
        Program crash
        
        PID:2028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 192
        6⤵
        Program crash
        
        PID:4528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 192
        6⤵
        Program crash
        
        PID:828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 192
        6⤵
        Program crash
        
        PID:3844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 192
        6⤵
        Program crash
        
        PID:2220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 192
        6⤵
        Program crash
        
        PID:5032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 192
        6⤵
        Program crash
        
        PID:4860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 192
        6⤵
        Program crash
        
        PID:2656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 192
        6⤵
        Program crash
        
        PID:216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 192
        6⤵
        Program crash
        
        PID:4876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 192
        6⤵
        Program crash
        
        PID:4292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 192
        6⤵
        Program crash
        
        PID:4816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 192
        6⤵
        Program crash
        
        PID:2508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 192
        6⤵
        Program crash
        
        PID:2328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 192
        6⤵
        Program crash
        
        PID:2868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 192
        6⤵
        Program crash
        
        PID:224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 192
        6⤵
        Program crash
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 192
        6⤵
        Program crash
        
        PID:1800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 192
        6⤵
        Program crash
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 192
        6⤵
        
        PID:1364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 192
        6⤵
        
        PID:4224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 192
        6⤵
        
        PID:3144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 192
        6⤵
        
        PID:380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 192
        6⤵
        
        PID:3904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 192
        6⤵
        
        PID:2004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 192
        6⤵
        
        PID:400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 192
        6⤵
        
        PID:3844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 192
        6⤵
        
        PID:4464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2412
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 192
        6⤵
        
        PID:2844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 192
        6⤵
        
        PID:2304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2408
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 192
        6⤵
        
        PID:3712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 192
        6⤵
        
        PID:1804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 192
        6⤵
        
        PID:3528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 192
        6⤵
        
        PID:904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 192
        6⤵
        
        PID:2012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 192
        6⤵
        
        PID:3636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 192
        6⤵
        
        PID:1992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 192
        6⤵
        
        PID:3524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 192
        6⤵
        
        PID:3892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 192
        6⤵
        
        PID:1784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 192
        6⤵
        
        PID:4508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 192
        6⤵
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 192
        6⤵
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 192
        6⤵
        
        PID:4212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 192
        6⤵
        
        PID:3776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 192
        6⤵
        
        PID:3796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 192
        6⤵
        
        PID:3824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 192
        6⤵
        
        PID:4652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 192
        6⤵
        
        PID:828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 192
        6⤵
        
        PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 192
        6⤵
        
        PID:3632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 192
        6⤵
        
        PID:5032
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:4636
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2904 -ip 2904
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4840 -ip 4840
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 224 -ip 224
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3720 -ip 3720
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3080 -ip 3080
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3312 -ip 3312
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3280 -ip 3280
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2584 -ip 2584
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2796 -ip 2796
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3940 -ip 3940
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3144 -ip 3144
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3240 -ip 3240
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2124 -ip 2124
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2464 -ip 2464
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3528 -ip 3528
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 404 -ip 404
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4296 -ip 4296
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2656 -ip 2656
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3100 -ip 3100
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1576 -ip 1576
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 904 -ip 904
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2036 -ip 2036
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2760 -ip 2760
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1920 -ip 1920
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4272 -ip 4272
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1268 -ip 1268
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4576 -ip 4576
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2896 -ip 2896
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 452 -ip 452
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 400 -ip 400
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4516 -ip 4516
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4764 -ip 4764
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1180 -ip 1180
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3620 -ip 3620
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4908 -ip 4908
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1572 -ip 1572
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2248 -ip 2248
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 548 -ip 548
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 620 -ip 620
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 908 -ip 908
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 668 -ip 668
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1536 -ip 1536
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2556 -ip 2556
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4044 -ip 4044
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2544 -ip 2544
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3096 -ip 3096
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2004 -ip 2004
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4076 -ip 4076
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3812 -ip 3812
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1028 -ip 1028
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5100 -ip 5100
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4296 -ip 4296
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1776 -ip 1776
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3740 -ip 3740
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3552 -ip 3552
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5068 -ip 5068
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3540 -ip 3540
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1780 -ip 1780
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2884 -ip 2884
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3416 -ip 3416
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1920 -ip 1920
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4500 -ip 4500
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3848 -ip 3848
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1700 -ip 1700
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 536 -ip 536
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3092 -ip 3092
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 4864
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2748 -ip 2748
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3608 -ip 3608
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5000 -ip 5000
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4532 -ip 4532
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3744 -ip 3744
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2364 -ip 2364
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2412 -ip 2412
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1176 -ip 1176
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2408 -ip 2408
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4920 -ip 4920
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3740 -ip 3740
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2620 -ip 2620
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5068 -ip 5068
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4816 -ip 4816
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2508 -ip 2508
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2328 -ip 2328
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2868 -ip 2868
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 224 -ip 224
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1652 -ip 1652
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1800 -ip 1800
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2904 -ip 2904
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1364 -ip 1364
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4224 -ip 4224
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4044 -ip 4044
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4504 -ip 4504
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3464 -ip 3464
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3592 -ip 3592
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4532 -ip 4532
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3744 -ip 3744
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2516 -ip 2516
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
289d273ac47a0259b639ff6d4782cab0

SHA1
fed3a1db04bb8fe8104ff15d984d02cdbd0e360d

SHA256
acf58236f1d7c59258698f29d3258349b83e14dd1073b8829ba9182774ee7ef2

SHA512
384bfe5eee39302ac9795550a5bdcbeecf409bc7eb92d5c55aa293ba56f6acbbc48585affd03ea124cb5a2b8d5aaa5d1741c3b98387325253cc22892a6b5b735

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
2993e00acf848d053fde7bb02b885ec4

SHA1
70ff06f071b47a7f5990699df804fb8f8d9d14d0

SHA256
b4f30e185cee23bee8a2f1b74e4db6455a8de938b8795bd3f5f9aed921e2ba2b

SHA512
cf164010512c16c6a103b4a0b1f34eb64b82ab227f83129babff139975118e5336a27a051ff6d9fc95b6f2e974eaafa26825ac9e1be437b1a1769354d8c077d9

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
cf9873bb83c3806cb9af0df420c12042

SHA1
cc05c9cf35ed223d16afafdfe5929ec07d277633

SHA256
1cc3b69450a390e5d6a7cc4ed1815e4ec39eb7929026629946c50804f649222b

SHA512
b1a9688ac35ba3a1f2c72ac113664b416b74825d032b2a20ce83679fa259c01167d36be63af871e428d9fe2540f75acbf7320df1d4227992de463dfe25ca52ca

Download Submit
memory/224-75-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1540-24-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1540-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1540-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1540-3-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1540-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1540-6-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1540-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1572-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1572-37-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1572-58-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1572-34-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1572-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1572-33-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1576-97-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2124-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2396-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2396-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2396-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2544-125-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2904-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2904-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3016-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3016-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3016-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3112-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-35-0x00000000004E0000-0x00000000005A9000-memory.dmp

Filesize
804KB

Download
memory/3112-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3556-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3556-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4636-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4840-73-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download