warzonerat | 70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824f

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
Size

8.2MB
MD5

b1b4052f585c8c0bec92b83ae0f852c0
SHA1

1eb6e50a1436dd1eb5bb63dfb8543a904ea66f09
SHA256

70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824f
SHA512

eb8ec10d6438df4decb098b60d98ca702acfb70216f7f6d389766397f16e173864f141ac0aff595975c8b6e17f071f4dcf5c367f51c49c50e6f9175d415fb832
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecM:V8e8e8f8e8e8J

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023b83-26.dat	warzonerat
behavioral2/files/0x000b000000023b81-48.dat	warzonerat
behavioral2/files/0x0003000000021f9c-64.dat	warzonerat
behavioral2/files/0x0003000000021f9c-137.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000c000000023b83-26.dat	aspack_v212_v242
behavioral2/files/0x000b000000023b81-48.dat	aspack_v212_v242
behavioral2/files/0x0003000000021f9c-64.dat	aspack_v212_v242
behavioral2/files/0x0003000000021f9c-137.dat	aspack_v212_v242

Executes dropped EXE 59 IoCs

pid	Process
1324	explorer.exe
4748	explorer.exe
5092	spoolsv.exe
4444	spoolsv.exe
2028	spoolsv.exe
3208	spoolsv.exe
384	spoolsv.exe
2504	spoolsv.exe
4772	spoolsv.exe
2876	spoolsv.exe
3044	spoolsv.exe
3032	spoolsv.exe
2400	spoolsv.exe
852	spoolsv.exe
1304	spoolsv.exe
5072	spoolsv.exe
4412	spoolsv.exe
2172	spoolsv.exe
4544	spoolsv.exe
4788	spoolsv.exe
4404	spoolsv.exe
920	spoolsv.exe
2868	spoolsv.exe
3048	spoolsv.exe
3976	spoolsv.exe
4836	spoolsv.exe
1944	spoolsv.exe
788	spoolsv.exe
1800	spoolsv.exe
2284	spoolsv.exe
2924	spoolsv.exe
2176	spoolsv.exe
4512	spoolsv.exe
2500	spoolsv.exe
1224	spoolsv.exe
4876	spoolsv.exe
3124	spoolsv.exe
2324	spoolsv.exe
4364	spoolsv.exe
2896	spoolsv.exe
3152	spoolsv.exe
3556	spoolsv.exe
4888	spoolsv.exe
2944	spoolsv.exe
856	spoolsv.exe
3968	spoolsv.exe
4600	spoolsv.exe
2524	spoolsv.exe
888	spoolsv.exe
2908	spoolsv.exe
1228	spoolsv.exe
1556	spoolsv.exe
1952	spoolsv.exe
3476	spoolsv.exe
3180	spoolsv.exe
2536	spoolsv.exe
4420	spoolsv.exe
3112	spoolsv.exe
4896	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 4964	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	91
PID 1884 set thread context of 1672	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	92
PID 1324 set thread context of 4748	1324	explorer.exe	94
PID 1324 set thread context of 1384	1324	explorer.exe	95

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 55 IoCs

pid	pid_target	Process	procid_target
2364	4444	WerFault.exe	97
4328	2028	WerFault.exe	101
3440	3208	WerFault.exe	104
3748	384	WerFault.exe	107
532	2504	WerFault.exe	110
3808	4772	WerFault.exe	113
992	2876	WerFault.exe	116
1456	3044	WerFault.exe	119
404	3032	WerFault.exe	122
2568	2400	WerFault.exe	125
2516	852	WerFault.exe	128
632	1304	WerFault.exe	131
3184	5072	WerFault.exe	134
5036	4412	WerFault.exe	137
972	2172	WerFault.exe	140
1480	4544	WerFault.exe	143
2244	4788	WerFault.exe	146
2848	4404	WerFault.exe	149
3020	920	WerFault.exe	152
4784	2868	WerFault.exe	155
1556	3048	WerFault.exe	158
3900	3976	WerFault.exe	161
5056	4836	WerFault.exe	164
3180	1944	WerFault.exe	167
2536	788	WerFault.exe	170
4516	1800	WerFault.exe	173
4524	2284	WerFault.exe	176
3108	2924	WerFault.exe	179
2152	2176	WerFault.exe	182
4328	4512	WerFault.exe	185
4048	2500	WerFault.exe	188
2612	1224	WerFault.exe	191
2504	4876	WerFault.exe	194
4288	3124	WerFault.exe	197
5044	2324	WerFault.exe	200
3740	4364	WerFault.exe	203
404	2896	WerFault.exe	206
2568	3152	WerFault.exe	209
2516	3556	WerFault.exe	212
3100	4888	WerFault.exe	215
3184	2944	WerFault.exe	218
1268	856	WerFault.exe	221
4792	3968	WerFault.exe	224
2156	4600	WerFault.exe	227
2244	2524	WerFault.exe	230
2956	888	WerFault.exe	233
916	2908	WerFault.exe	236
1100	1228	WerFault.exe	239
3984	1556	WerFault.exe	242
1652	1952	WerFault.exe	245
2300	3476	WerFault.exe	248
1592	3180	WerFault.exe	251
3668	2536	WerFault.exe	254
3904	4420	WerFault.exe	257
2256	3112	WerFault.exe	260

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4964	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
4964	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4964	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
4964	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 4964	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	91
PID 1884 wrote to memory of 4964	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	91
PID 1884 wrote to memory of 4964	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	91
PID 1884 wrote to memory of 4964	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	91
PID 1884 wrote to memory of 4964	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	91
PID 1884 wrote to memory of 4964	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	91
PID 1884 wrote to memory of 4964	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	91
PID 1884 wrote to memory of 4964	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	91
PID 1884 wrote to memory of 1672	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	92
PID 1884 wrote to memory of 1672	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	92
PID 1884 wrote to memory of 1672	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	92
PID 1884 wrote to memory of 1672	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	92
PID 1884 wrote to memory of 1672	1884	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	92
PID 4964 wrote to memory of 1324	4964	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	93
PID 4964 wrote to memory of 1324	4964	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	93
PID 4964 wrote to memory of 1324	4964	70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe	93
PID 1324 wrote to memory of 4748	1324	explorer.exe	94
PID 1324 wrote to memory of 4748	1324	explorer.exe	94
PID 1324 wrote to memory of 4748	1324	explorer.exe	94
PID 1324 wrote to memory of 4748	1324	explorer.exe	94
PID 1324 wrote to memory of 4748	1324	explorer.exe	94
PID 1324 wrote to memory of 4748	1324	explorer.exe	94
PID 1324 wrote to memory of 4748	1324	explorer.exe	94
PID 1324 wrote to memory of 4748	1324	explorer.exe	94
PID 1324 wrote to memory of 1384	1324	explorer.exe	95
PID 1324 wrote to memory of 1384	1324	explorer.exe	95
PID 1324 wrote to memory of 1384	1324	explorer.exe	95
PID 1324 wrote to memory of 1384	1324	explorer.exe	95
PID 1324 wrote to memory of 1384	1324	explorer.exe	95
PID 4748 wrote to memory of 5092	4748	explorer.exe	96
PID 4748 wrote to memory of 5092	4748	explorer.exe	96
PID 4748 wrote to memory of 5092	4748	explorer.exe	96
PID 4748 wrote to memory of 4444	4748	explorer.exe	97
PID 4748 wrote to memory of 4444	4748	explorer.exe	97
PID 4748 wrote to memory of 4444	4748	explorer.exe	97
PID 4748 wrote to memory of 2028	4748	explorer.exe	101
PID 4748 wrote to memory of 2028	4748	explorer.exe	101
PID 4748 wrote to memory of 2028	4748	explorer.exe	101
PID 4748 wrote to memory of 3208	4748	explorer.exe	104
PID 4748 wrote to memory of 3208	4748	explorer.exe	104
PID 4748 wrote to memory of 3208	4748	explorer.exe	104
PID 4748 wrote to memory of 384	4748	explorer.exe	107
PID 4748 wrote to memory of 384	4748	explorer.exe	107
PID 4748 wrote to memory of 384	4748	explorer.exe	107
PID 4748 wrote to memory of 2504	4748	explorer.exe	110
PID 4748 wrote to memory of 2504	4748	explorer.exe	110
PID 4748 wrote to memory of 2504	4748	explorer.exe	110
PID 4748 wrote to memory of 4772	4748	explorer.exe	113
PID 4748 wrote to memory of 4772	4748	explorer.exe	113
PID 4748 wrote to memory of 4772	4748	explorer.exe	113
PID 4748 wrote to memory of 2876	4748	explorer.exe	116
PID 4748 wrote to memory of 2876	4748	explorer.exe	116
PID 4748 wrote to memory of 2876	4748	explorer.exe	116
PID 4748 wrote to memory of 3044	4748	explorer.exe	119
PID 4748 wrote to memory of 3044	4748	explorer.exe	119
PID 4748 wrote to memory of 3044	4748	explorer.exe	119
PID 4748 wrote to memory of 3032	4748	explorer.exe	122
PID 4748 wrote to memory of 3032	4748	explorer.exe	122
PID 4748 wrote to memory of 3032	4748	explorer.exe	122
PID 4748 wrote to memory of 2400	4748	explorer.exe	125
PID 4748 wrote to memory of 2400	4748	explorer.exe	125
PID 4748 wrote to memory of 2400	4748	explorer.exe	125
PID 4748 wrote to memory of 852	4748	explorer.exe	128
PID 4748 wrote to memory of 852	4748	explorer.exe	128

C:\Users\Admin\AppData\Local\Temp\70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
"C:\Users\Admin\AppData\Local\Temp\70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe
  "C:\Users\Admin\AppData\Local\Temp\70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824fN.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4964
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4444
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 192
        6⤵
        Program crash
        
        PID:2364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 192
        6⤵
        Program crash
        
        PID:4328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 192
        6⤵
        Program crash
        
        PID:3440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 192
        6⤵
        Program crash
        
        PID:3748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 192
        6⤵
        Program crash
        
        PID:532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 192
        6⤵
        Program crash
        
        PID:3808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 192
        6⤵
        Program crash
        
        PID:992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192
        6⤵
        Program crash
        
        PID:1456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 192
        6⤵
        Program crash
        
        PID:404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 192
        6⤵
        Program crash
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 192
        6⤵
        Program crash
        
        PID:2516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 192
        6⤵
        Program crash
        
        PID:632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 192
        6⤵
        Program crash
        
        PID:3184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4412
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 192
        6⤵
        Program crash
        
        PID:5036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 192
        6⤵
        Program crash
        
        PID:972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 192
        6⤵
        Program crash
        
        PID:1480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 192
        6⤵
        Program crash
        
        PID:2244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 192
        6⤵
        Program crash
        
        PID:2848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 192
        6⤵
        Program crash
        
        PID:3020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 192
        6⤵
        Program crash
        
        PID:4784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 192
        6⤵
        Program crash
        
        PID:1556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 192
        6⤵
        Program crash
        
        PID:3900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4836
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 192
        6⤵
        Program crash
        
        PID:5056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 192
        6⤵
        Program crash
        
        PID:3180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 192
        6⤵
        Program crash
        
        PID:2536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 192
        6⤵
        Program crash
        
        PID:4516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2284
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 192
        6⤵
        Program crash
        
        PID:4524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 192
        6⤵
        Program crash
        
        PID:3108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 192
        6⤵
        Program crash
        
        PID:2152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 192
        6⤵
        Program crash
        
        PID:4328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 192
        6⤵
        Program crash
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 192
        6⤵
        Program crash
        
        PID:2612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 192
        6⤵
        Program crash
        
        PID:2504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 192
        6⤵
        Program crash
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 192
        6⤵
        Program crash
        
        PID:5044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 192
        6⤵
        Program crash
        
        PID:3740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2896
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 192
        6⤵
        Program crash
        
        PID:404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3152
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 192
        6⤵
        Program crash
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 192
        6⤵
        Program crash
        
        PID:2516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 192
        6⤵
        Program crash
        
        PID:3100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 192
        6⤵
        Program crash
        
        PID:3184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 192
        6⤵
        Program crash
        
        PID:1268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3968
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 192
        6⤵
        Program crash
        
        PID:4792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 192
        6⤵
        Program crash
        
        PID:2156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 192
        6⤵
        Program crash
        
        PID:2244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 192
        6⤵
        Program crash
        
        PID:2956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 192
        6⤵
        Program crash
        
        PID:916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 192
        6⤵
        Program crash
        
        PID:1100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 192
        6⤵
        Program crash
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 192
        6⤵
        Program crash
        
        PID:1652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 192
        6⤵
        Program crash
        
        PID:2300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 192
        6⤵
        Program crash
        
        PID:1592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 192
        6⤵
        Program crash
        
        PID:3668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 192
        6⤵
        Program crash
        
        PID:3904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 192
        6⤵
        Program crash
        
        PID:2256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4896
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1384
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4444 -ip 4444
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2028 -ip 2028
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3208 -ip 3208
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 384 -ip 384
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2504 -ip 2504
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4772 -ip 4772
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2876 -ip 2876
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3044 -ip 3044
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3032 -ip 3032
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2400 -ip 2400
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 852 -ip 852
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1304 -ip 1304
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5072 -ip 5072
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4412 -ip 4412
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2172 -ip 2172
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4544 -ip 4544
1⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4788 -ip 4788
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4404 -ip 4404
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 920 -ip 920
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2868 -ip 2868
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3048 -ip 3048
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3976 -ip 3976
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4836 -ip 4836
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1944 -ip 1944
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 788 -ip 788
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1800 -ip 1800
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2284 -ip 2284
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2924 -ip 2924
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2176 -ip 2176
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4512 -ip 4512
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2500 -ip 2500
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1224 -ip 1224
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4876 -ip 4876
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3124 -ip 3124
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2324 -ip 2324
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4364 -ip 4364
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2896 -ip 2896
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3152 -ip 3152
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3556 -ip 3556
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4888 -ip 4888
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2944 -ip 2944
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 856 -ip 856
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3968 -ip 3968
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4600 -ip 4600
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2524 -ip 2524
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 888 -ip 888
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2908 -ip 2908
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1228 -ip 1228
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1556 -ip 1556
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1952 -ip 1952
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3476 -ip 3476
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3180 -ip 3180
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2536 -ip 2536
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4420 -ip 4420
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3112 -ip 3112
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4896 -ip 4896
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
b1b4052f585c8c0bec92b83ae0f852c0

SHA1
1eb6e50a1436dd1eb5bb63dfb8543a904ea66f09

SHA256
70ce9b2a4a7dd0ad287942cbaa578f2275ee1c89eab2b0579bd25f51f72a824f

SHA512
eb8ec10d6438df4decb098b60d98ca702acfb70216f7f6d389766397f16e173864f141ac0aff595975c8b6e17f071f4dcf5c367f51c49c50e6f9175d415fb832

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
cb29ab9c720db694a67d85ca82dfbaa7

SHA1
2db9a4c23e37d459b5222766d7381a3f19c2690c

SHA256
b7a2572209b84a1f47d0394e91c249f3a5ed70a6957fbd1e7363b24a9d9bcbfd

SHA512
d1d3d7998bd7b444f16dc4bf234c44fc6baa8b3b49a61e851a03e55b3d04326c146da2557c73bc20eb8fa589594d46a944dda4073316cbc80d659190399056e4

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
3.8MB

MD5
b3daf94941be30f4418b1a3e5df568eb

SHA1
c0a466ab271ab880787aca9d374dbfdd8551a698

SHA256
cf95ab19bc8bce0a6cf7362aabf30bbe0b9b3d702c61659fe91ebf2661f07d2c

SHA512
c70427623bc86cd4411953a6927d7aea52b47caa32ba2ea2863c352061a3bdc0a462053a21cbe21766d9435af0867adc940b3c7599a2881d8c7650a2ad9a00f2

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
7dcea588b11bdae617dceb686d35717b

SHA1
90f37e656c8bebe7a17ccb1ed11b641db71ddbfb

SHA256
724718f97c450d68572890aeef97ca4552e9285cd07fb9d32ee2900cf85c0bf4

SHA512
39769bbdc3fd376ad6ef2939b6f938f414a8d2010cdf23701d3c94d7019b328ea46dbd7fc299576a0c8955cac76c89bca80e38a807b9fc1e8091e436a61946dc

Download Submit
memory/1324-33-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1324-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1324-60-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1324-37-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1324-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1324-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1384-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1672-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1672-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1672-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1884-6-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1884-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2028-74-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2172-92-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4444-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4444-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4748-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-80-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4964-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-34-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/5092-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5092-67-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5092-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download