warzonerat | 348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baedd

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2024, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
Size

8.2MB
MD5

aa09cc47753e2225e73358e54badc070
SHA1

446e0bf562d920985f85d6e7679d076886e8178d
SHA256

348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baedd
SHA512

c6c2d148eb9f886faf404cbb1feae4fa6b943772d2c79ee898d608dbb1bab76066d4b7df1fd6616bd04acf789f39b0d4189184d3ad2895ea902240c97ae7af17
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecS:V8e8e8f8e8e8d

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023b90-26.dat	warzonerat
behavioral2/files/0x000b000000023b8e-46.dat	warzonerat
behavioral2/files/0x0003000000022701-61.dat	warzonerat
behavioral2/files/0x0003000000022701-138.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000c000000023b90-26.dat	aspack_v212_v242
behavioral2/files/0x000b000000023b8e-46.dat	aspack_v212_v242
behavioral2/files/0x0003000000022701-61.dat	aspack_v212_v242
behavioral2/files/0x0003000000022701-138.dat	aspack_v212_v242

Executes dropped EXE 60 IoCs

pid	Process
656	explorer.exe
1808	explorer.exe
732	spoolsv.exe
3576	spoolsv.exe
1292	spoolsv.exe
1832	spoolsv.exe
4712	spoolsv.exe
520	spoolsv.exe
1772	spoolsv.exe
1040	spoolsv.exe
4144	spoolsv.exe
1964	spoolsv.exe
184	spoolsv.exe
4860	spoolsv.exe
1548	spoolsv.exe
2456	spoolsv.exe
4112	spoolsv.exe
2796	spoolsv.exe
2344	spoolsv.exe
1860	spoolsv.exe
4540	spoolsv.exe
1948	spoolsv.exe
4536	spoolsv.exe
4728	spoolsv.exe
4808	spoolsv.exe
3908	spoolsv.exe
1384	spoolsv.exe
1000	spoolsv.exe
3856	spoolsv.exe
1844	spoolsv.exe
556	spoolsv.exe
2972	spoolsv.exe
2372	spoolsv.exe
2776	spoolsv.exe
1160	spoolsv.exe
3712	spoolsv.exe
3024	spoolsv.exe
4256	spoolsv.exe
1920	spoolsv.exe
1964	spoolsv.exe
4760	spoolsv.exe
1736	spoolsv.exe
1172	spoolsv.exe
4008	spoolsv.exe
4548	spoolsv.exe
2796	spoolsv.exe
2344	spoolsv.exe
436	spoolsv.exe
944	spoolsv.exe
2708	spoolsv.exe
4148	spoolsv.exe
2668	spoolsv.exe
4224	spoolsv.exe
4384	spoolsv.exe
3452	spoolsv.exe
4488	spoolsv.exe
880	spoolsv.exe
1816	spoolsv.exe
5008	spoolsv.exe
2296	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 2940	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	99
PID 3116 set thread context of 3052	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	100
PID 656 set thread context of 1808	656	explorer.exe	103
PID 656 set thread context of 4348	656	explorer.exe	104

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 56 IoCs

pid	pid_target	Process	procid_target
628	3576	WerFault.exe	106
1864	1292	WerFault.exe	111
4736	1832	WerFault.exe	114
860	4712	WerFault.exe	117
1372	520	WerFault.exe	120
392	1772	WerFault.exe	123
2660	1040	WerFault.exe	126
2356	4144	WerFault.exe	129
864	1964	WerFault.exe	132
3044	184	WerFault.exe	135
3100	4860	WerFault.exe	138
4508	1548	WerFault.exe	141
4104	2456	WerFault.exe	144
980	4112	WerFault.exe	147
4708	2796	WerFault.exe	150
2612	2344	WerFault.exe	153
4940	1860	WerFault.exe	156
4460	4540	WerFault.exe	159
2708	1948	WerFault.exe	162
4432	4536	WerFault.exe	165
1200	4728	WerFault.exe	168
4292	4808	WerFault.exe	171
3352	3908	WerFault.exe	174
4064	1384	WerFault.exe	177
656	1000	WerFault.exe	180
4764	3856	WerFault.exe	183
4372	1844	WerFault.exe	186
3576	556	WerFault.exe	189
1264	2972	WerFault.exe	192
2676	2372	WerFault.exe	195
3720	2776	WerFault.exe	198
2244	1160	WerFault.exe	201
3656	3712	WerFault.exe	204
232	3024	WerFault.exe	207
3568	4256	WerFault.exe	210
2388	1920	WerFault.exe	213
4392	1964	WerFault.exe	216
2140	4760	WerFault.exe	219
1168	1736	WerFault.exe	222
3744	1172	WerFault.exe	225
3260	4008	WerFault.exe	228
4576	4548	WerFault.exe	231
1600	2796	WerFault.exe	234
1740	2344	WerFault.exe	237
1468	436	WerFault.exe	240
2376	944	WerFault.exe	243
4480	2708	WerFault.exe	246
5100	4148	WerFault.exe	249
2820	2668	WerFault.exe	252
4140	4224	WerFault.exe	255
4492	4384	WerFault.exe	258
1384	3452	WerFault.exe	261
1584	4488	WerFault.exe	264
1268	880	WerFault.exe	267
1844	1816	WerFault.exe	270
556	5008	WerFault.exe	273

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
2940	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2940	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
2940	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 2940	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	99
PID 3116 wrote to memory of 2940	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	99
PID 3116 wrote to memory of 2940	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	99
PID 3116 wrote to memory of 2940	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	99
PID 3116 wrote to memory of 2940	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	99
PID 3116 wrote to memory of 2940	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	99
PID 3116 wrote to memory of 2940	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	99
PID 3116 wrote to memory of 2940	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	99
PID 3116 wrote to memory of 3052	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	100
PID 3116 wrote to memory of 3052	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	100
PID 3116 wrote to memory of 3052	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	100
PID 3116 wrote to memory of 3052	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	100
PID 3116 wrote to memory of 3052	3116	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	100
PID 2940 wrote to memory of 656	2940	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	101
PID 2940 wrote to memory of 656	2940	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	101
PID 2940 wrote to memory of 656	2940	348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe	101
PID 656 wrote to memory of 1808	656	explorer.exe	103
PID 656 wrote to memory of 1808	656	explorer.exe	103
PID 656 wrote to memory of 1808	656	explorer.exe	103
PID 656 wrote to memory of 1808	656	explorer.exe	103
PID 656 wrote to memory of 1808	656	explorer.exe	103
PID 656 wrote to memory of 1808	656	explorer.exe	103
PID 656 wrote to memory of 1808	656	explorer.exe	103
PID 656 wrote to memory of 1808	656	explorer.exe	103
PID 656 wrote to memory of 4348	656	explorer.exe	104
PID 656 wrote to memory of 4348	656	explorer.exe	104
PID 656 wrote to memory of 4348	656	explorer.exe	104
PID 656 wrote to memory of 4348	656	explorer.exe	104
PID 656 wrote to memory of 4348	656	explorer.exe	104
PID 1808 wrote to memory of 732	1808	explorer.exe	105
PID 1808 wrote to memory of 732	1808	explorer.exe	105
PID 1808 wrote to memory of 732	1808	explorer.exe	105
PID 1808 wrote to memory of 3576	1808	explorer.exe	106
PID 1808 wrote to memory of 3576	1808	explorer.exe	106
PID 1808 wrote to memory of 3576	1808	explorer.exe	106
PID 1808 wrote to memory of 1292	1808	explorer.exe	111
PID 1808 wrote to memory of 1292	1808	explorer.exe	111
PID 1808 wrote to memory of 1292	1808	explorer.exe	111
PID 1808 wrote to memory of 1832	1808	explorer.exe	114
PID 1808 wrote to memory of 1832	1808	explorer.exe	114
PID 1808 wrote to memory of 1832	1808	explorer.exe	114
PID 1808 wrote to memory of 4712	1808	explorer.exe	117
PID 1808 wrote to memory of 4712	1808	explorer.exe	117
PID 1808 wrote to memory of 4712	1808	explorer.exe	117
PID 1808 wrote to memory of 520	1808	explorer.exe	120
PID 1808 wrote to memory of 520	1808	explorer.exe	120
PID 1808 wrote to memory of 520	1808	explorer.exe	120
PID 1808 wrote to memory of 1772	1808	explorer.exe	123
PID 1808 wrote to memory of 1772	1808	explorer.exe	123
PID 1808 wrote to memory of 1772	1808	explorer.exe	123
PID 1808 wrote to memory of 1040	1808	explorer.exe	126
PID 1808 wrote to memory of 1040	1808	explorer.exe	126
PID 1808 wrote to memory of 1040	1808	explorer.exe	126
PID 1808 wrote to memory of 4144	1808	explorer.exe	129
PID 1808 wrote to memory of 4144	1808	explorer.exe	129
PID 1808 wrote to memory of 4144	1808	explorer.exe	129
PID 1808 wrote to memory of 1964	1808	explorer.exe	132
PID 1808 wrote to memory of 1964	1808	explorer.exe	132
PID 1808 wrote to memory of 1964	1808	explorer.exe	132
PID 1808 wrote to memory of 184	1808	explorer.exe	135
PID 1808 wrote to memory of 184	1808	explorer.exe	135
PID 1808 wrote to memory of 184	1808	explorer.exe	135
PID 1808 wrote to memory of 4860	1808	explorer.exe	138
PID 1808 wrote to memory of 4860	1808	explorer.exe	138

C:\Users\Admin\AppData\Local\Temp\348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
"C:\Users\Admin\AppData\Local\Temp\348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe
  "C:\Users\Admin\AppData\Local\Temp\348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baeddN.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2940
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:656
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 192
        6⤵
        Program crash
        
        PID:628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 192
        6⤵
        Program crash
        
        PID:1864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 192
        6⤵
        Program crash
        
        PID:4736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 192
        6⤵
        Program crash
        
        PID:860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 192
        6⤵
        Program crash
        
        PID:1372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 200
        6⤵
        Program crash
        
        PID:392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 192
        6⤵
        Program crash
        
        PID:2660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 192
        6⤵
        Program crash
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 192
        6⤵
        Program crash
        
        PID:864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 192
        6⤵
        Program crash
        
        PID:3044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 192
        6⤵
        Program crash
        
        PID:3100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 192
        6⤵
        Program crash
        
        PID:4508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 192
        6⤵
        Program crash
        
        PID:4104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 192
        6⤵
        Program crash
        
        PID:980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 192
        6⤵
        Program crash
        
        PID:4708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 192
        6⤵
        Program crash
        
        PID:2612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 192
        6⤵
        Program crash
        
        PID:4940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 192
        6⤵
        Program crash
        
        PID:4460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 192
        6⤵
        Program crash
        
        PID:2708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 200
        6⤵
        Program crash
        
        PID:4432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 192
        6⤵
        Program crash
        
        PID:1200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 192
        6⤵
        Program crash
        
        PID:4292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 192
        6⤵
        Program crash
        
        PID:3352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 192
        6⤵
        Program crash
        
        PID:4064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 192
        6⤵
        Program crash
        
        PID:656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 192
        6⤵
        Program crash
        
        PID:4764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 192
        6⤵
        Program crash
        
        PID:4372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 192
        6⤵
        Program crash
        
        PID:3576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 192
        6⤵
        Program crash
        
        PID:1264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 192
        6⤵
        Program crash
        
        PID:2676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 192
        6⤵
        Program crash
        
        PID:3720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 192
        6⤵
        Program crash
        
        PID:2244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 192
        6⤵
        Program crash
        
        PID:3656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 192
        6⤵
        Program crash
        
        PID:232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 192
        6⤵
        Program crash
        
        PID:3568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 192
        6⤵
        Program crash
        
        PID:2388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 192
        6⤵
        Program crash
        
        PID:4392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4760
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 192
        6⤵
        Program crash
        
        PID:2140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 192
        6⤵
        Program crash
        
        PID:1168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 192
        6⤵
        Program crash
        
        PID:3744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 192
        6⤵
        Program crash
        
        PID:3260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 192
        6⤵
        Program crash
        
        PID:4576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 192
        6⤵
        Program crash
        
        PID:1600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 192
        6⤵
        Program crash
        
        PID:1740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 192
        6⤵
        Program crash
        
        PID:1468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 192
        6⤵
        Program crash
        
        PID:2376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 192
        6⤵
        Program crash
        
        PID:4480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 192
        6⤵
        Program crash
        
        PID:5100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 192
        6⤵
        Program crash
        
        PID:2820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 192
        6⤵
        Program crash
        
        PID:4140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 192
        6⤵
        Program crash
        
        PID:4492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 192
        6⤵
        Program crash
        
        PID:1384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 192
        6⤵
        Program crash
        
        PID:1584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 192
        6⤵
        Program crash
        
        PID:1268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 192
        6⤵
        Program crash
        
        PID:1844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 192
        6⤵
        Program crash
        
        PID:556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2296
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:4348
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 3576
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1292 -ip 1292
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1832 -ip 1832
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4712 -ip 4712
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 520 -ip 520
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1772 -ip 1772
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1040 -ip 1040
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4144 -ip 4144
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1964 -ip 1964
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 184 -ip 184
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4860 -ip 4860
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1548 -ip 1548
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2456 -ip 2456
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4112 -ip 4112
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2796 -ip 2796
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2344 -ip 2344
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1860 -ip 1860
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4540 -ip 4540
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4536 -ip 4536
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4728 -ip 4728
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4808 -ip 4808
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3908 -ip 3908
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1384 -ip 1384
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1000 -ip 1000
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3856 -ip 3856
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1844 -ip 1844
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 556 -ip 556
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2972 -ip 2972
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2372 -ip 2372
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2776 -ip 2776
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1160 -ip 1160
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3712 -ip 3712
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3024 -ip 3024
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4256 -ip 4256
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1920 -ip 1920
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1964 -ip 1964
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4760 -ip 4760
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1736 -ip 1736
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1172 -ip 1172
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4008 -ip 4008
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4548 -ip 4548
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2796 -ip 2796
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2344 -ip 2344
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 436 -ip 436
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 944 -ip 944
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2708 -ip 2708
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4148 -ip 4148
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2668 -ip 2668
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4224 -ip 4224
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4384 -ip 4384
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3452 -ip 3452
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4488 -ip 4488
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 880 -ip 880
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1816 -ip 1816
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5008 -ip 5008
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2296 -ip 2296
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
aa09cc47753e2225e73358e54badc070

SHA1
446e0bf562d920985f85d6e7679d076886e8178d

SHA256
348fed31060e19322ec93eda5f2d5ab3cfa46071cad12335e71fc7d7125baedd

SHA512
c6c2d148eb9f886faf404cbb1feae4fa6b943772d2c79ee898d608dbb1bab76066d4b7df1fd6616bd04acf789f39b0d4189184d3ad2895ea902240c97ae7af17

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
e5f1fa95326ecb5c2c7181b0e3511b92

SHA1
f335ebe7f5c453901964ddcc0a4b173b62f5090a

SHA256
22dbc17b5e0885dd902cc76b9c171ffa8f79202d9338a2f9def128574e842468

SHA512
ea455213973ca1fa2ab0e445380ab9eb268ef1c6cf2289afbb76b8a801eb7056d8d9075521366330841c05c334c50f1fe7c4a9b82a0e2c92e1927c74420dafe1

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
f356e94369bfd18bf0598818fa3b3c89

SHA1
95fe3b6a104b8d7061ae1077e0b1c3aae603b369

SHA256
ece5b0a67af691f8141a391a0899a277dd553e8211a64a69a47159b279e4ee94

SHA512
3069ea7c67705932a67998fb3e3e24150225547d34f6a155df140f27bbad291cda0b643e6f2690ffba493f5058e9013b6235ed91404caeb112da2a46755a4bef

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
dc121695ef2d37f04e670a203abe03e8

SHA1
b93d4da59ba614f804da223ebe01077308f2af8b

SHA256
2cdae9680e73658b9ee57ab6a4f7985d6eae67d0e5b1158622421573d52c95be

SHA512
42833a79f1827e914be043df299ceca0bfb3fca6faeff14f71d077fd7103081770734f9db48e34fbdfb67b57a0397216a86706569d2c8babcaa6d62f059e5d2c

Download Submit
memory/656-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/656-35-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/656-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/656-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/656-56-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/732-81-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/732-63-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/732-64-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1292-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1772-77-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1808-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-82-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2372-106-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2940-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-33-0x00000000004B0000-0x0000000000579000-memory.dmp

Filesize
804KB

Download
memory/2940-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3052-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3052-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3052-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3116-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3116-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3116-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3116-6-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3116-3-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3116-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3116-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3576-68-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3576-69-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4348-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4488-133-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download