warzonerat | 73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496

Analysis

max time kernel
117s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
Size

8.2MB
MD5

94743e590c3fa90bcddac54c6aafd890
SHA1

6f18625ff07e8e0090da94a8a2cbd13db77510ca
SHA256

73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496
SHA512

eb48f27ded31c5ad6e42f29aba19241477155f9cf65fb8729e43cb73455f6ca57b650ceffcf64612a2a6f2c5cd7600d892ee8127a865290422931740841fff8e
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecw:V8e8e8f8e8e8B

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 12 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023cae-27.dat	warzonerat
behavioral2/files/0x0008000000023cac-49.dat	warzonerat
behavioral2/files/0x00030000000226df-65.dat	warzonerat
behavioral2/files/0x00030000000226df-133.dat	warzonerat
behavioral2/files/0x00030000000226df-134.dat	warzonerat
behavioral2/files/0x00030000000226df-135.dat	warzonerat
behavioral2/files/0x00030000000226df-136.dat	warzonerat
behavioral2/files/0x00030000000226df-137.dat	warzonerat
behavioral2/files/0x00030000000226df-139.dat	warzonerat
behavioral2/files/0x00030000000226df-140.dat	warzonerat
behavioral2/files/0x00030000000226df-141.dat	warzonerat
behavioral2/files/0x00030000000226df-142.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 12 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023cae-27.dat	aspack_v212_v242
behavioral2/files/0x0008000000023cac-49.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-65.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-133.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-134.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-135.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-136.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-137.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-139.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-140.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-141.dat	aspack_v212_v242
behavioral2/files/0x00030000000226df-142.dat	aspack_v212_v242

Executes dropped EXE 61 IoCs

pid	Process
1952	explorer.exe
3228	explorer.exe
3964	spoolsv.exe
2476	spoolsv.exe
2936	spoolsv.exe
1792	spoolsv.exe
4872	spoolsv.exe
2140	spoolsv.exe
4260	spoolsv.exe
4100	spoolsv.exe
376	spoolsv.exe
2340	spoolsv.exe
2096	spoolsv.exe
4548	spoolsv.exe
400	spoolsv.exe
4456	spoolsv.exe
324	spoolsv.exe
3696	spoolsv.exe
4688	spoolsv.exe
2144	spoolsv.exe
4932	spoolsv.exe
4816	spoolsv.exe
4072	spoolsv.exe
2460	spoolsv.exe
5044	spoolsv.exe
4396	spoolsv.exe
1928	spoolsv.exe
4248	spoolsv.exe
2612	spoolsv.exe
4776	spoolsv.exe
3112	spoolsv.exe
2012	spoolsv.exe
3692	spoolsv.exe
4468	spoolsv.exe
4852	spoolsv.exe
2392	spoolsv.exe
2568	spoolsv.exe
1636	spoolsv.exe
3932	spoolsv.exe
4028	spoolsv.exe
2880	spoolsv.exe
2684	spoolsv.exe
4344	spoolsv.exe
4264	spoolsv.exe
4712	spoolsv.exe
920	spoolsv.exe
3192	spoolsv.exe
1148	spoolsv.exe
3908	spoolsv.exe
1596	spoolsv.exe
2776	spoolsv.exe
2124	spoolsv.exe
2736	spoolsv.exe
1068	spoolsv.exe
1560	spoolsv.exe
4032	spoolsv.exe
2336	spoolsv.exe
2680	spoolsv.exe
3572	spoolsv.exe
2264	spoolsv.exe
4452	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 2948	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	99
PID 3488 set thread context of 1400	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	100
PID 1952 set thread context of 3228	1952	explorer.exe	102
PID 1952 set thread context of 1332	1952	explorer.exe	103

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2216	2476	WerFault.exe	105
4012	2936	WerFault.exe	110
684	1792	WerFault.exe	113
1728	4872	WerFault.exe	116
1168	2140	WerFault.exe	119
2488	4260	WerFault.exe	122
4460	4100	WerFault.exe	125
2780	376	WerFault.exe	128
4308	2340	WerFault.exe	131
5024	2096	WerFault.exe	134
880	4548	WerFault.exe	137
4716	400	WerFault.exe	140
5032	4456	WerFault.exe	143
1960	324	WerFault.exe	146
2676	3696	WerFault.exe	149
4560	4688	WerFault.exe	152
2744	2144	WerFault.exe	155
3452	4932	WerFault.exe	158
3664	4816	WerFault.exe	161
4660	4072	WerFault.exe	164
1900	2460	WerFault.exe	167
3444	5044	WerFault.exe	170
3216	4396	WerFault.exe	173
1744	1928	WerFault.exe	176
2000	4248	WerFault.exe	179
4384	2612	WerFault.exe	182
4008	4776	WerFault.exe	185
4212	3112	WerFault.exe	188
3688	2012	WerFault.exe	191
220	3692	WerFault.exe	194
4720	4468	WerFault.exe	197
4268	4852	WerFault.exe	200
4260	2392	WerFault.exe	203
2380	2568	WerFault.exe	206
1684	1636	WerFault.exe	209
4964	3932	WerFault.exe	212
4352	4028	WerFault.exe	215
624	2880	WerFault.exe	218
4596	2684	WerFault.exe	221
3200	4344	WerFault.exe	224
1076	4264	WerFault.exe	227
2952	4712	WerFault.exe	230
1524	920	WerFault.exe	233
3196	3192	WerFault.exe	236
4092	1148	WerFault.exe	239
4788	3908	WerFault.exe	242
3788	1596	WerFault.exe	245
4880	2776	WerFault.exe	248
2460	2124	WerFault.exe	251
116	2736	WerFault.exe	254
4396	1068	WerFault.exe	257
2604	1560	WerFault.exe	260
4248	4032	WerFault.exe	263
4432	2336	WerFault.exe
4020	2680	WerFault.exe	269
3212	3572	WerFault.exe	272
3784	2264	WerFault.exe
3336	4452	WerFault.exe	278
3008	3708	WerFault.exe
5076	2840	WerFault.exe	284
1668	3960	WerFault.exe	287
2760	4460	WerFault.exe	290
1676	1956	WerFault.exe	293
2356	1292	WerFault.exe	296

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
2948	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2948	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
2948	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 2948	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	99
PID 3488 wrote to memory of 2948	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	99
PID 3488 wrote to memory of 2948	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	99
PID 3488 wrote to memory of 2948	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	99
PID 3488 wrote to memory of 2948	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	99
PID 3488 wrote to memory of 2948	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	99
PID 3488 wrote to memory of 2948	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	99
PID 3488 wrote to memory of 2948	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	99
PID 3488 wrote to memory of 1400	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	100
PID 3488 wrote to memory of 1400	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	100
PID 3488 wrote to memory of 1400	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	100
PID 3488 wrote to memory of 1400	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	100
PID 3488 wrote to memory of 1400	3488	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	100
PID 2948 wrote to memory of 1952	2948	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	101
PID 2948 wrote to memory of 1952	2948	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	101
PID 2948 wrote to memory of 1952	2948	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	101
PID 1952 wrote to memory of 3228	1952	explorer.exe	102
PID 1952 wrote to memory of 3228	1952	explorer.exe	102
PID 1952 wrote to memory of 3228	1952	explorer.exe	102
PID 1952 wrote to memory of 3228	1952	explorer.exe	102
PID 1952 wrote to memory of 3228	1952	explorer.exe	102
PID 1952 wrote to memory of 3228	1952	explorer.exe	102
PID 1952 wrote to memory of 3228	1952	explorer.exe	102
PID 1952 wrote to memory of 3228	1952	explorer.exe	102
PID 1952 wrote to memory of 1332	1952	explorer.exe	103
PID 1952 wrote to memory of 1332	1952	explorer.exe	103
PID 1952 wrote to memory of 1332	1952	explorer.exe	103
PID 1952 wrote to memory of 1332	1952	explorer.exe	103
PID 1952 wrote to memory of 1332	1952	explorer.exe	103
PID 3228 wrote to memory of 3964	3228	explorer.exe	104
PID 3228 wrote to memory of 3964	3228	explorer.exe	104
PID 3228 wrote to memory of 3964	3228	explorer.exe	104
PID 3228 wrote to memory of 2476	3228	explorer.exe	105
PID 3228 wrote to memory of 2476	3228	explorer.exe	105
PID 3228 wrote to memory of 2476	3228	explorer.exe	105
PID 3228 wrote to memory of 2936	3228	explorer.exe	110
PID 3228 wrote to memory of 2936	3228	explorer.exe	110
PID 3228 wrote to memory of 2936	3228	explorer.exe	110
PID 3228 wrote to memory of 1792	3228	explorer.exe	113
PID 3228 wrote to memory of 1792	3228	explorer.exe	113
PID 3228 wrote to memory of 1792	3228	explorer.exe	113
PID 3228 wrote to memory of 4872	3228	explorer.exe	116
PID 3228 wrote to memory of 4872	3228	explorer.exe	116
PID 3228 wrote to memory of 4872	3228	explorer.exe	116
PID 3228 wrote to memory of 2140	3228	explorer.exe	119
PID 3228 wrote to memory of 2140	3228	explorer.exe	119
PID 3228 wrote to memory of 2140	3228	explorer.exe	119
PID 3228 wrote to memory of 4260	3228	explorer.exe	122
PID 3228 wrote to memory of 4260	3228	explorer.exe	122
PID 3228 wrote to memory of 4260	3228	explorer.exe	122
PID 3228 wrote to memory of 4100	3228	explorer.exe	125
PID 3228 wrote to memory of 4100	3228	explorer.exe	125
PID 3228 wrote to memory of 4100	3228	explorer.exe	125
PID 3228 wrote to memory of 376	3228	explorer.exe	128
PID 3228 wrote to memory of 376	3228	explorer.exe	128
PID 3228 wrote to memory of 376	3228	explorer.exe	128
PID 3228 wrote to memory of 2340	3228	explorer.exe	131
PID 3228 wrote to memory of 2340	3228	explorer.exe	131
PID 3228 wrote to memory of 2340	3228	explorer.exe	131
PID 3228 wrote to memory of 2096	3228	explorer.exe	134
PID 3228 wrote to memory of 2096	3228	explorer.exe	134
PID 3228 wrote to memory of 2096	3228	explorer.exe	134
PID 3228 wrote to memory of 4548	3228	explorer.exe	137
PID 3228 wrote to memory of 4548	3228	explorer.exe	137

C:\Users\Admin\AppData\Local\Temp\73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
"C:\Users\Admin\AppData\Local\Temp\73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
  "C:\Users\Admin\AppData\Local\Temp\73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2948
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 192
        6⤵
        Program crash
        
        PID:2216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 200
        6⤵
        Program crash
        
        PID:4012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 192
        6⤵
        Program crash
        
        PID:684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 192
        6⤵
        Program crash
        
        PID:1728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 192
        6⤵
        Program crash
        
        PID:1168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4260
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 200
        6⤵
        Program crash
        
        PID:2488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 192
        6⤵
        Program crash
        
        PID:4460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 200
        6⤵
        Program crash
        
        PID:2780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2340
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 192
        6⤵
        Program crash
        
        PID:4308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 192
        6⤵
        Program crash
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 192
        6⤵
        Program crash
        
        PID:880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 192
        6⤵
        Program crash
        
        PID:4716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 192
        6⤵
        Program crash
        
        PID:5032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 192
        6⤵
        Program crash
        
        PID:1960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 200
        6⤵
        Program crash
        
        PID:2676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 200
        6⤵
        Program crash
        
        PID:4560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 192
        6⤵
        Program crash
        
        PID:2744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 192
        6⤵
        Program crash
        
        PID:3452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 192
        6⤵
        Program crash
        
        PID:3664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 192
        6⤵
        Program crash
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 192
        6⤵
        Program crash
        
        PID:1900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 192
        6⤵
        Program crash
        
        PID:3444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 192
        6⤵
        Program crash
        
        PID:3216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 192
        6⤵
        Program crash
        
        PID:1744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 192
        6⤵
        Program crash
        
        PID:2000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 192
        6⤵
        Program crash
        
        PID:4384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 192
        6⤵
        Program crash
        
        PID:4008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 192
        6⤵
        Program crash
        
        PID:4212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 192
        6⤵
        Program crash
        
        PID:3688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 192
        6⤵
        Program crash
        
        PID:220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 192
        6⤵
        Program crash
        
        PID:4720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 192
        6⤵
        Program crash
        
        PID:4268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2392
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 192
        6⤵
        Program crash
        
        PID:4260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 192
        6⤵
        Program crash
        
        PID:2380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 192
        6⤵
        Program crash
        
        PID:1684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 192
        6⤵
        Program crash
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 192
        6⤵
        Program crash
        
        PID:4352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 192
        6⤵
        Program crash
        
        PID:624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2684
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 192
        6⤵
        Program crash
        
        PID:4596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 192
        6⤵
        Program crash
        
        PID:3200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 192
        6⤵
        Program crash
        
        PID:1076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 192
        6⤵
        Program crash
        
        PID:2952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 192
        6⤵
        Program crash
        
        PID:1524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 192
        6⤵
        Program crash
        
        PID:3196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 192
        6⤵
        Program crash
        
        PID:4092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 192
        6⤵
        Program crash
        
        PID:4788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1596
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 192
        6⤵
        Program crash
        
        PID:3788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 192
        6⤵
        Program crash
        
        PID:4880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 192
        6⤵
        Program crash
        
        PID:2460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 192
        6⤵
        Program crash
        
        PID:116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 192
        6⤵
        Program crash
        
        PID:4396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 192
        6⤵
        Program crash
        
        PID:2604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 192
        6⤵
        Program crash
        
        PID:4248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 192
        6⤵
        Program crash
        
        PID:4432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 192
        6⤵
        Program crash
        
        PID:4020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 192
        6⤵
        Program crash
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 192
        6⤵
        Program crash
        
        PID:3784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 192
        6⤵
        Program crash
        
        PID:3336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 192
        6⤵
        Program crash
        
        PID:3008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 192
        6⤵
        Program crash
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 192
        6⤵
        Program crash
        
        PID:1668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 192
        6⤵
        Program crash
        
        PID:2760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 192
        6⤵
        Program crash
        
        PID:1676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 192
        6⤵
        Program crash
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 192
        6⤵
        
        PID:2892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 192
        6⤵
        
        PID:4976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 192
        6⤵
        
        PID:4548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 192
        6⤵
        
        PID:400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 192
        6⤵
        
        PID:1852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 192
        6⤵
        
        PID:1812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 192
        6⤵
        
        PID:1708
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1332
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2476 -ip 2476
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2936 -ip 2936
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1792 -ip 1792
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4872 -ip 4872
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2140 -ip 2140
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4260 -ip 4260
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4100 -ip 4100
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 376 -ip 376
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2340 -ip 2340
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2096 -ip 2096
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4548 -ip 4548
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 400 -ip 400
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4456 -ip 4456
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 324 -ip 324
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3696 -ip 3696
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4688 -ip 4688
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2144 -ip 2144
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4932 -ip 4932
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4816 -ip 4816
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4072 -ip 4072
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2460 -ip 2460
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5044 -ip 5044
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4396 -ip 4396
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1928 -ip 1928
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4248 -ip 4248
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2612 -ip 2612
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4776 -ip 4776
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3112 -ip 3112
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2012 -ip 2012
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3692 -ip 3692
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4468 -ip 4468
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4852 -ip 4852
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2392 -ip 2392
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2568 -ip 2568
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1636 -ip 1636
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3932 -ip 3932
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4028 -ip 4028
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2880 -ip 2880
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2684 -ip 2684
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4344 -ip 4344
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4264 -ip 4264
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4712 -ip 4712
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 920 -ip 920
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3192 -ip 3192
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1148 -ip 1148
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3908 -ip 3908
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1596 -ip 1596
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2776 -ip 2776
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2124 -ip 2124
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2736 -ip 2736
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1068 -ip 1068
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1560 -ip 1560
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4032 -ip 4032
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2336 -ip 2336
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2680 -ip 2680
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3572 -ip 3572
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2264 -ip 2264
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4452 -ip 4452
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3708 -ip 3708
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2840 -ip 2840
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3960 -ip 3960
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4460 -ip 4460
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1956 -ip 1956
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1292 -ip 1292
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3932 -ip 3932
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2192 -ip 2192
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 624 -ip 624
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1984 -ip 1984
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4332 -ip 4332
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3552 -ip 3552
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4572 -ip 4572
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
94743e590c3fa90bcddac54c6aafd890

SHA1
6f18625ff07e8e0090da94a8a2cbd13db77510ca

SHA256
73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496

SHA512
eb48f27ded31c5ad6e42f29aba19241477155f9cf65fb8729e43cb73455f6ca57b650ceffcf64612a2a6f2c5cd7600d892ee8127a865290422931740841fff8e

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
d9c89957b6eb0c6698357dddf88667e4

SHA1
d1689a34fea5f2e342fc1e44405d34526fc5b8c5

SHA256
571056506228456937f952955f74a5187066910317c0d2c3a8399d640c98de6d

SHA512
f3c418ba09c1a868aeeae907fb0579b2c64e53cbd5e7445d1bfe220859241530e28d428f839bc5da716a8f6b4c45740304804ae0cecf6bb0b5303bf258a9beeb

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.0MB

MD5
4efc8d5ca6fce4da85c4fd74b237d130

SHA1
34c3afef3d3918e9d6d09ab1a4dcf34a7a1e0c44

SHA256
46c96e48528e1d75d6328abaa22acb728feedd9368d72da144d9b6476536bda4

SHA512
f74cff73c14a8e04da9d27a4d28590053ab1fcd3b65dff1b97a0a53b6dfc3099220f4a3d27fc0af3645b83fdf44030993841516a1c0a52be33afe73d33d3c406

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
7.4MB

MD5
22e533f9668d7e24a4e364fe123d726f

SHA1
a89df1646b902cac29a558a05ee632fe2701962c

SHA256
c891faff87528a04f389762629bce68da85766c16cd004dce0e4f7381503e898

SHA512
1dcb0236b5bedf63da06416c760924f89c1d04b7c8118c23342a46fcc5c929243484e6b5619a9250391728d047170d6c7065564a2762af325a51ccb3971c4d17

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
6.4MB

MD5
5ea109c0af4ca5150918c3c0c7ceef02

SHA1
3a4455cf782d76cb2f2b3de895425b480becae00

SHA256
eb1e4914b22bc303b03756b8a1a707f1caf5159306a3a0e8267d2f2bb188e545

SHA512
cdcea705eaceaaa389055323d182823f69a8a366696d184df3ce3f5a16be2868b390baf91f0578aceb3876a7ff3bcc6a8fb157b2e11ae4489da74e6c2c910360

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
6.9MB

MD5
e6e55182571babeb21fd89113cf42ace

SHA1
9828fd7bd5747ecd142280006c30df66b29c0c39

SHA256
8265066e82ad16534591b34fcfa5f7ccb92d1bac5fcc211cf8916f85e4d7563d

SHA512
2854b396979fcbf2f8fa5e1db541ab0313e489dfea58385facd3b451baf886721210335e1babaec57cc846f1ee94a7845e566e447ad715485607de3675bc896d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
5.1MB

MD5
410f8e48d9b1db846839754b4b9e818d

SHA1
b2ecce123d5ded5a692c6bcec8d58412e1018ba3

SHA256
5c1049eec8114b5a9f6968975f7a38f33b77ed6cfb36fa6e6f35cb122d006a2c

SHA512
578d5b1ea6551140f53e06ccf2f33f3f7f6d50399104f530f001a057f7b13c66dcd1c7b4f34115ede089720915a88888192f866c5198e4a58a4fa49d47f6fd87

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
4.1MB

MD5
a2274c7a1908c3fabbbc2fd61e3bf524

SHA1
0ac58308b93b7b1d6641cb62e88e1cf24ab5e440

SHA256
10b172c79d3e227342bc14cd6d9b0cc094767876ad5fa275fa5eca7b0e7aaf0c

SHA512
08c5763edac14afef037c647acf6c6238c22c21af16c804da0e206e537fec772ce154df401f355bb6340dc1dc3d5ac4ad14c1a30f7c51b1b08b94847a13d6df3

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
4.1MB

MD5
28323c556599c3db9f0103d2d6fce62c

SHA1
40ef7efc7842e1a8fdd3cb64770a5894e5878ae2

SHA256
c16d7f4a5c9d10363f64e57d074bd1f3ca4839a2dc818eaf925f6f2b77fd697e

SHA512
4760054825c68bc536f917a396ae1e4babc565f5085243095dc1ca6149271447314dd828aec5335e8c06a4a7755ce79d9aee2e80ac08e11f57a14c641dd16e0a

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
3.1MB

MD5
4bca45a5969fbde74fd99f23d764ebe9

SHA1
f831fc17079561f6c27a0584928d83d4db8ff99f

SHA256
9249d43a63ad1fc171ad6e3e07c824c5670e94d9b9ab7967c50a943827a20c22

SHA512
aad87496eab072f92f5940f9999a872fb344f521af3c22993401233254b9060366eabee983c71ebfb1915a9e94eec96b4712c4c4fba866ebbcac8deccbcbebd9

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.5MB

MD5
0638d2a29a9e05389863f06e23c9b041

SHA1
8ad669d3b890cf87bd0a7e6b1a904b1480fc9352

SHA256
c7716ac32dce62a3c44d47534126d2077816853e46cf83b5fc7f1f372b2ee839

SHA512
e6600f37dc959ceecb965190da332209554f366ab73b26d0db6708e116a1476737a2ab30c141d276db9ae3af09bf9aa12870ad7565b2d1434b0d57d7eb3399cb

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
43bd1ac99752dcfbf1156f6eb56b0b38

SHA1
ecde18f2625e525ea6d2cbfc5fb424828c1fd955

SHA256
17237717726b17a43893b68187aa3d9cbe5b680ad11ef4a7f3b9cf19c1c34f22

SHA512
32f5c83ed9864a3addb1382598e4bac2cbbe596a7d59d57141c78ea6682d80a8e3b3a0f6064154ca7452b8b4d53812548450cbdb6cc918c47447ec5516ad3554

Download Submit
memory/376-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1332-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1400-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1400-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1400-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-34-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1952-61-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1952-38-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1952-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1952-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1952-33-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2476-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2476-73-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2936-75-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2948-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-35-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2948-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3228-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3228-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-24-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3488-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3488-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3488-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3488-3-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/3488-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3488-6-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/3696-93-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3964-68-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3964-67-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3964-86-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4032-138-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4260-81-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4688-96-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4776-109-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download