warzonerat | be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
Size

8.2MB
MD5

730c977c28c0a9ba2a2b795e8e295200
SHA1

a53c2b45ee5da5e40e2d5940b71c0f0b58e59a89
SHA256

be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8
SHA512

06c7024bfb3305b540c886f824f58e25a59801ca5ea13a1cdea81fb2c1fc34217abd34bb8b985100c70b9025c8890756e4ce5b0c2998add860395651253f031f
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecT:V8e8e8f8e8e8w

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x000a000000023c49-26.dat	warzonerat
behavioral2/files/0x0009000000023c47-47.dat	warzonerat
behavioral2/files/0x000d0000000234f8-63.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a000000023c49-26.dat	aspack_v212_v242
behavioral2/files/0x0009000000023c47-47.dat	aspack_v212_v242
behavioral2/files/0x000d0000000234f8-63.dat	aspack_v212_v242

Executes dropped EXE 64 IoCs

pid	Process
780	explorer.exe
5032	explorer.exe
2908	spoolsv.exe
4316	spoolsv.exe
1852	spoolsv.exe
2528	spoolsv.exe
100	spoolsv.exe
2808	spoolsv.exe
1624	spoolsv.exe
468	spoolsv.exe
1492	spoolsv.exe
2532	spoolsv.exe
4576	spoolsv.exe
4712	spoolsv.exe
3840	spoolsv.exe
4348	spoolsv.exe
3004	spoolsv.exe
3980	spoolsv.exe
2424	spoolsv.exe
5088	spoolsv.exe
3096	spoolsv.exe
1632	spoolsv.exe
1880	spoolsv.exe
2536	spoolsv.exe
1000	spoolsv.exe
2924	spoolsv.exe
4992	spoolsv.exe
1900	spoolsv.exe
4392	spoolsv.exe
3620	spoolsv.exe
3368	spoolsv.exe
2256	spoolsv.exe
3844	spoolsv.exe
2776	spoolsv.exe
1264	spoolsv.exe
2620	spoolsv.exe
5072	spoolsv.exe
4084	spoolsv.exe
4704	spoolsv.exe
4764	spoolsv.exe
4912	spoolsv.exe
3936	spoolsv.exe
4360	spoolsv.exe
4028	spoolsv.exe
3208	spoolsv.exe
2152	spoolsv.exe
816	spoolsv.exe
2380	spoolsv.exe
4088	spoolsv.exe
2864	spoolsv.exe
2400	spoolsv.exe
4300	spoolsv.exe
1476	spoolsv.exe
4976	spoolsv.exe
1644	spoolsv.exe
1904	spoolsv.exe
4436	spoolsv.exe
2100	spoolsv.exe
3648	spoolsv.exe
408	spoolsv.exe
4824	spoolsv.exe
4452	spoolsv.exe
2776	spoolsv.exe
2496	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 3908	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	100
PID 2424 set thread context of 3944	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	101
PID 780 set thread context of 5032	780	explorer.exe	103
PID 780 set thread context of 2216	780	explorer.exe	104

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
1976	4316	WerFault.exe	106
3912	1852	WerFault.exe	111
2508	2528	WerFault.exe	114
4888	100	WerFault.exe	117
1660	2808	WerFault.exe	120
840	1624	WerFault.exe	123
3964	468	WerFault.exe	126
1312	1492	WerFault.exe	129
4868	2532	WerFault.exe	132
3080	4576	WerFault.exe	135
1564	4712	WerFault.exe	138
5104	3840	WerFault.exe	141
3256	4348	WerFault.exe	144
5028	3004	WerFault.exe	147
4524	3980	WerFault.exe	150
4900	2424	WerFault.exe	153
5076	5088	WerFault.exe	156
3008	3096	WerFault.exe	159
4284	1632	WerFault.exe	162
2400	1880	WerFault.exe	165
3516	2536	WerFault.exe	168
1476	1000	WerFault.exe	171
3264	2924	WerFault.exe	174
1856	4992	WerFault.exe	177
848	1900	WerFault.exe	180
4636	4392	WerFault.exe	183
1720	3620	WerFault.exe	186
4316	3368	WerFault.exe	189
1852	2256	WerFault.exe	192
3992	3844	WerFault.exe	195
212	2776	WerFault.exe	198
2496	1264	WerFault.exe	201
3436	2620	WerFault.exe	204
1848	5072	WerFault.exe	207
2948	4084	WerFault.exe	210
3892	4704	WerFault.exe	213
1248	4764	WerFault.exe	216
3108	4912	WerFault.exe	219
808	3936	WerFault.exe	222
2720	4360	WerFault.exe	225
4808	4028	WerFault.exe	228
3956	3208	WerFault.exe	231
1100	2152	WerFault.exe	234
2292	816	WerFault.exe	237
884	2380	WerFault.exe	240
744	4088	WerFault.exe	243
1184	2864	WerFault.exe	246
3624	2400	WerFault.exe	249
1044	4300	WerFault.exe	252
836	1476	WerFault.exe	255
4780	4976	WerFault.exe	258
2124	1644	WerFault.exe	261
2936	1904	WerFault.exe	264
812	4436	WerFault.exe	267
1436	2100	WerFault.exe	270
1296	3648	WerFault.exe	273
3984	408	WerFault.exe	276
4844	4824	WerFault.exe	279
100	4452	WerFault.exe	282
4252	2776	WerFault.exe	285
840	2496	WerFault.exe	288
4108	3812	WerFault.exe	291
3392	468	WerFault.exe	294
1040	1492	WerFault.exe	297

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3908	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
3908	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5032	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3908	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
3908	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3908	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	100
PID 2424 wrote to memory of 3908	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	100
PID 2424 wrote to memory of 3908	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	100
PID 2424 wrote to memory of 3908	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	100
PID 2424 wrote to memory of 3908	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	100
PID 2424 wrote to memory of 3908	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	100
PID 2424 wrote to memory of 3908	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	100
PID 2424 wrote to memory of 3908	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	100
PID 2424 wrote to memory of 3944	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	101
PID 2424 wrote to memory of 3944	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	101
PID 2424 wrote to memory of 3944	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	101
PID 2424 wrote to memory of 3944	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	101
PID 2424 wrote to memory of 3944	2424	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	101
PID 3908 wrote to memory of 780	3908	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	102
PID 3908 wrote to memory of 780	3908	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	102
PID 3908 wrote to memory of 780	3908	be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe	102
PID 780 wrote to memory of 5032	780	explorer.exe	103
PID 780 wrote to memory of 5032	780	explorer.exe	103
PID 780 wrote to memory of 5032	780	explorer.exe	103
PID 780 wrote to memory of 5032	780	explorer.exe	103
PID 780 wrote to memory of 5032	780	explorer.exe	103
PID 780 wrote to memory of 5032	780	explorer.exe	103
PID 780 wrote to memory of 5032	780	explorer.exe	103
PID 780 wrote to memory of 5032	780	explorer.exe	103
PID 780 wrote to memory of 2216	780	explorer.exe	104
PID 780 wrote to memory of 2216	780	explorer.exe	104
PID 780 wrote to memory of 2216	780	explorer.exe	104
PID 780 wrote to memory of 2216	780	explorer.exe	104
PID 780 wrote to memory of 2216	780	explorer.exe	104
PID 5032 wrote to memory of 2908	5032	explorer.exe	105
PID 5032 wrote to memory of 2908	5032	explorer.exe	105
PID 5032 wrote to memory of 2908	5032	explorer.exe	105
PID 5032 wrote to memory of 4316	5032	explorer.exe	106
PID 5032 wrote to memory of 4316	5032	explorer.exe	106
PID 5032 wrote to memory of 4316	5032	explorer.exe	106
PID 5032 wrote to memory of 1852	5032	explorer.exe	111
PID 5032 wrote to memory of 1852	5032	explorer.exe	111
PID 5032 wrote to memory of 1852	5032	explorer.exe	111
PID 5032 wrote to memory of 2528	5032	explorer.exe	114
PID 5032 wrote to memory of 2528	5032	explorer.exe	114
PID 5032 wrote to memory of 2528	5032	explorer.exe	114
PID 5032 wrote to memory of 100	5032	explorer.exe	117
PID 5032 wrote to memory of 100	5032	explorer.exe	117
PID 5032 wrote to memory of 100	5032	explorer.exe	117
PID 5032 wrote to memory of 2808	5032	explorer.exe	120
PID 5032 wrote to memory of 2808	5032	explorer.exe	120
PID 5032 wrote to memory of 2808	5032	explorer.exe	120
PID 5032 wrote to memory of 1624	5032	explorer.exe	123
PID 5032 wrote to memory of 1624	5032	explorer.exe	123
PID 5032 wrote to memory of 1624	5032	explorer.exe	123
PID 5032 wrote to memory of 468	5032	explorer.exe	126
PID 5032 wrote to memory of 468	5032	explorer.exe	126
PID 5032 wrote to memory of 468	5032	explorer.exe	126
PID 5032 wrote to memory of 1492	5032	explorer.exe	129
PID 5032 wrote to memory of 1492	5032	explorer.exe	129
PID 5032 wrote to memory of 1492	5032	explorer.exe	129
PID 5032 wrote to memory of 2532	5032	explorer.exe	132
PID 5032 wrote to memory of 2532	5032	explorer.exe	132
PID 5032 wrote to memory of 2532	5032	explorer.exe	132
PID 5032 wrote to memory of 4576	5032	explorer.exe	135
PID 5032 wrote to memory of 4576	5032	explorer.exe	135
PID 5032 wrote to memory of 4576	5032	explorer.exe	135
PID 5032 wrote to memory of 4712	5032	explorer.exe	138
PID 5032 wrote to memory of 4712	5032	explorer.exe	138

C:\Users\Admin\AppData\Local\Temp\be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
"C:\Users\Admin\AppData\Local\Temp\be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe
  "C:\Users\Admin\AppData\Local\Temp\be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3908
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:780
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 192
        6⤵
        Program crash
        
        PID:1976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 192
        6⤵
        Program crash
        
        PID:3912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 192
        6⤵
        Program crash
        
        PID:2508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 192
        6⤵
        Program crash
        
        PID:4888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 192
        6⤵
        Program crash
        
        PID:1660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 192
        6⤵
        Program crash
        
        PID:840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 192
        6⤵
        Program crash
        
        PID:3964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 192
        6⤵
        Program crash
        
        PID:1312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 192
        6⤵
        Program crash
        
        PID:4868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 192
        6⤵
        Program crash
        
        PID:3080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 192
        6⤵
        Program crash
        
        PID:1564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 192
        6⤵
        Program crash
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 192
        6⤵
        Program crash
        
        PID:3256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 192
        6⤵
        Program crash
        
        PID:5028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 192
        6⤵
        Program crash
        
        PID:4524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 192
        6⤵
        Program crash
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 192
        6⤵
        Program crash
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 192
        6⤵
        Program crash
        
        PID:3008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 192
        6⤵
        Program crash
        
        PID:4284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 192
        6⤵
        Program crash
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 192
        6⤵
        Program crash
        
        PID:3516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 192
        6⤵
        Program crash
        
        PID:1476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 192
        6⤵
        Program crash
        
        PID:3264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 192
        6⤵
        Program crash
        
        PID:1856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 192
        6⤵
        Program crash
        
        PID:848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4392
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 192
        6⤵
        Program crash
        
        PID:4636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 192
        6⤵
        Program crash
        
        PID:1720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3368
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 192
        6⤵
        Program crash
        
        PID:4316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 192
        6⤵
        Program crash
        
        PID:1852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 192
        6⤵
        Program crash
        
        PID:3992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 192
        6⤵
        Program crash
        
        PID:212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 192
        6⤵
        Program crash
        
        PID:2496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 192
        6⤵
        Program crash
        
        PID:3436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 192
        6⤵
        Program crash
        
        PID:1848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 192
        6⤵
        Program crash
        
        PID:2948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 192
        6⤵
        Program crash
        
        PID:3892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 192
        6⤵
        Program crash
        
        PID:1248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 192
        6⤵
        Program crash
        
        PID:3108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 192
        6⤵
        Program crash
        
        PID:808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4360
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 192
        6⤵
        Program crash
        
        PID:2720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 192
        6⤵
        Program crash
        
        PID:4808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 192
        6⤵
        Program crash
        
        PID:3956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2152
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 192
        6⤵
        Program crash
        
        PID:1100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 192
        6⤵
        Program crash
        
        PID:2292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2380
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 192
        6⤵
        Program crash
        
        PID:884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 192
        6⤵
        Program crash
        
        PID:744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 192
        6⤵
        Program crash
        
        PID:1184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 192
        6⤵
        Program crash
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4300
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 192
        6⤵
        Program crash
        
        PID:1044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 192
        6⤵
        Program crash
        
        PID:836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 192
        6⤵
        Program crash
        
        PID:4780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 192
        6⤵
        Program crash
        
        PID:2124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 192
        6⤵
        Program crash
        
        PID:2936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 192
        6⤵
        Program crash
        
        PID:812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 192
        6⤵
        Program crash
        
        PID:1436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 192
        6⤵
        Program crash
        
        PID:1296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:408
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 192
        6⤵
        Program crash
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 192
        6⤵
        Program crash
        
        PID:4844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 192
        6⤵
        Program crash
        
        PID:100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 192
        6⤵
        Program crash
        
        PID:4252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 192
        6⤵
        Program crash
        
        PID:840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 192
        6⤵
        Program crash
        
        PID:4108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 192
        6⤵
        Program crash
        
        PID:3392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 192
        6⤵
        Program crash
        
        PID:1040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:724
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 192
        6⤵
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 192
        6⤵
        
        PID:4764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 192
        6⤵
        
        PID:540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 192
        6⤵
        
        PID:1564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 192
        6⤵
        
        PID:2028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 192
        6⤵
        
        PID:3256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 192
        6⤵
        
        PID:3596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 192
        6⤵
        
        PID:4524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 192
        6⤵
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 192
        6⤵
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 192
        6⤵
        
        PID:2228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 192
        6⤵
        
        PID:4860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 192
        6⤵
        
        PID:3516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 192
        6⤵
        
        PID:3384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 192
        6⤵
        
        PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 192
        6⤵
        
        PID:388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 192
        6⤵
        
        PID:4864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 192
        6⤵
        
        PID:1900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 192
        6⤵
        
        PID:848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 192
        6⤵
        
        PID:2460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 192
        6⤵
        
        PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 192
        6⤵
        
        PID:1296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 192
        6⤵
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 192
        6⤵
        
        PID:4844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 192
        6⤵
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 192
        6⤵
        
        PID:2640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 192
        6⤵
        
        PID:1192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 192
        6⤵
        
        PID:3964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 192
        6⤵
        
        PID:3392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 192
        6⤵
        
        PID:1040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 192
        6⤵
        
        PID:2532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:672
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 192
        6⤵
        
        PID:112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 192
        6⤵
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 192
        6⤵
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 192
        6⤵
        
        PID:2028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 192
        6⤵
        
        PID:3248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 192
        6⤵
        
        PID:3596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 192
        6⤵
        
        PID:2152
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:2216
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4316 -ip 4316
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1852 -ip 1852
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2528 -ip 2528
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 100 -ip 100
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2808 -ip 2808
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1624 -ip 1624
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 468 -ip 468
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1492 -ip 1492
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2532 -ip 2532
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4576 -ip 4576
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4712 -ip 4712
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3840 -ip 3840
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4348 -ip 4348
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3004 -ip 3004
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3980 -ip 3980
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2424 -ip 2424
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5088 -ip 5088
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3096 -ip 3096
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1632 -ip 1632
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1880 -ip 1880
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2536 -ip 2536
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1000 -ip 1000
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2924 -ip 2924
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4992 -ip 4992
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1900 -ip 1900
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4392 -ip 4392
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3620 -ip 3620
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3368 -ip 3368
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2256 -ip 2256
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3844 -ip 3844
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2776 -ip 2776
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1264 -ip 1264
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2620 -ip 2620
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5072 -ip 5072
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4084 -ip 4084
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4704 -ip 4704
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4764 -ip 4764
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4912 -ip 4912
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3936 -ip 3936
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4360 -ip 4360
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4028 -ip 4028
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3208 -ip 3208
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2152 -ip 2152
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 816 -ip 816
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2380 -ip 2380
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4088 -ip 4088
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2864 -ip 2864
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2400 -ip 2400
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4300 -ip 4300
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1476 -ip 1476
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4976 -ip 4976
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1644 -ip 1644
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1904 -ip 1904
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4436 -ip 4436
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2100 -ip 2100
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3648 -ip 3648
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 408 -ip 408
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4824 -ip 4824
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4452 -ip 4452
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2776 -ip 2776
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2496 -ip 2496
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3812 -ip 3812
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 468 -ip 468
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1492 -ip 1492
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 724 -ip 724
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 112 -ip 112
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1936 -ip 1936
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 704 -ip 704
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4576 -ip 4576
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3532 -ip 3532
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3736 -ip 3736
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4792 -ip 4792
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4680 -ip 4680
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3188 -ip 3188
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1376 -ip 1376
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4488 -ip 4488
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1084 -ip 1084
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4928 -ip 4928
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 892 -ip 892
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2800 -ip 2800
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4780 -ip 4780
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1928 -ip 1928
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2952 -ip 2952
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3824 -ip 3824
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4352 -ip 4352
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2904 -ip 2904
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2112 -ip 2112
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1548 -ip 1548
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4552 -ip 4552
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1940 -ip 1940
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4820 -ip 4820
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 644 -ip 644
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3880 -ip 3880
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5024 -ip 5024
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4484 -ip 4484
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 672 -ip 672
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3108 -ip 3108
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 808 -ip 808
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3456 -ip 3456
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3228 -ip 3228
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3956 -ip 3956
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5004 -ip 5004
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
730c977c28c0a9ba2a2b795e8e295200

SHA1
a53c2b45ee5da5e40e2d5940b71c0f0b58e59a89

SHA256
be24486a14ae78fe137b7b1160faf21c35de20521866aa8ca43ed52dcf10fbf8

SHA512
06c7024bfb3305b540c886f824f58e25a59801ca5ea13a1cdea81fb2c1fc34217abd34bb8b985100c70b9025c8890756e4ce5b0c2998add860395651253f031f

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
87388509489141b597820d9946f7b5c7

SHA1
2976b9ecad1633f9f59f70e1b6989669868ae331

SHA256
0316a5a7b2442ae3977a7529d8267fcb8d53e41db3010d2a853ca284eacb560d

SHA512
d3acf037bdb5aabab404c531ea92a601084d9250b04cf0d24ab3a7a975910df602691f756be2569dc40c97c666246a7441a410188aa7d4c74a4364a4eaa10f8c

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
00502ef7a4cadaa0ee5b502a2dced835

SHA1
b7d51abd745ebaeda9f5e9ccab5ddd6dfdfe4a67

SHA256
468257e1119ac0d2b2c2d89ba542c8b5c056ce80979e4e6adc77eb7bb18697df

SHA512
da20e8254a228c3a40bafd6ac2e7c4f9677c40d9e71236ca72dc6d4dc22a14acd0838b141efd71d2297b6ae853767b2ccf41c53706b7497a53563e992ac130eb

Download Submit
memory/780-36-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/780-33-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/780-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/780-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/780-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/780-59-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1852-73-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2216-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2400-127-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2424-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2424-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2424-6-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2424-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2424-3-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2424-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2424-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2908-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2908-83-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2908-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3532-138-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3840-87-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3908-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3908-34-0x00000000004A0000-0x0000000000569000-memory.dmp

Filesize
804KB

Download
memory/3908-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3908-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3944-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3944-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3944-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4316-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4316-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4576-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5032-78-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download