warzonerat | e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
Size

8.2MB
MD5

b6d37eb6b47813c679bde3d4bc6fc2e0
SHA1

ad27fb0e1da7ce89ade7df96dd9ed647eab2c649
SHA256

e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01
SHA512

fb502039619e86a5fa1636116d66481fe0ad6dc73c1db291471f362acfea4afcaf593c89e73bbe8e1accdcf762c21fdcd47fbac6eb30acdb36946b95fa7286f2
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecS:V8e8e8f8e8e8n

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023c8b-29.dat	warzonerat
behavioral2/files/0x0008000000023c89-46.dat	warzonerat
behavioral2/files/0x000d0000000234f8-61.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023c8b-29.dat	aspack_v212_v242
behavioral2/files/0x0008000000023c89-46.dat	aspack_v212_v242
behavioral2/files/0x000d0000000234f8-61.dat	aspack_v212_v242

Executes dropped EXE 64 IoCs

pid	Process
2632	explorer.exe
5100	explorer.exe
3076	spoolsv.exe
2748	spoolsv.exe
1268	spoolsv.exe
3348	spoolsv.exe
1348	spoolsv.exe
5016	spoolsv.exe
2756	spoolsv.exe
1540	spoolsv.exe
1096	spoolsv.exe
804	spoolsv.exe
4800	spoolsv.exe
3588	spoolsv.exe
232	spoolsv.exe
2792	spoolsv.exe
4884	spoolsv.exe
1820	spoolsv.exe
4396	spoolsv.exe
2008	spoolsv.exe
1564	spoolsv.exe
4200	spoolsv.exe
1512	spoolsv.exe
2448	spoolsv.exe
2712	spoolsv.exe
3304	spoolsv.exe
908	spoolsv.exe
3448	spoolsv.exe
4808	spoolsv.exe
4876	spoolsv.exe
2000	spoolsv.exe
2408	spoolsv.exe
3252	spoolsv.exe
3784	spoolsv.exe
4780	spoolsv.exe
5052	spoolsv.exe
1548	spoolsv.exe
3292	spoolsv.exe
3616	spoolsv.exe
4644	spoolsv.exe
1048	spoolsv.exe
4684	spoolsv.exe
4884	spoolsv.exe
768	spoolsv.exe
3604	spoolsv.exe
1240	spoolsv.exe
4384	spoolsv.exe
3000	spoolsv.exe
2496	spoolsv.exe
2448	spoolsv.exe
1052	spoolsv.exe
3236	spoolsv.exe
4024	spoolsv.exe
3300	spoolsv.exe
4496	spoolsv.exe
3196	spoolsv.exe
4740	spoolsv.exe
4980	spoolsv.exe
2388	spoolsv.exe
3028	spoolsv.exe
4192	spoolsv.exe
1880	spoolsv.exe
2428	spoolsv.exe
2424	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 408 set thread context of 4976	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	100
PID 408 set thread context of 4352	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	101
PID 2632 set thread context of 5100	2632	explorer.exe	104
PID 2632 set thread context of 5096	2632	explorer.exe	105

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4360	2748	WerFault.exe	107
5008	1268	WerFault.exe	112
3624	3348	WerFault.exe	115
628	1348	WerFault.exe	118
2372	5016	WerFault.exe	121
2916	2756	WerFault.exe	124
1856	1540	WerFault.exe	127
4408	1096	WerFault.exe	130
3952	804	WerFault.exe	133
2960	4800	WerFault.exe	136
2056	3588	WerFault.exe	139
2296	232	WerFault.exe	142
1308	2792	WerFault.exe	145
640	4884	WerFault.exe	148
408	1820	WerFault.exe	151
1132	4396	WerFault.exe	154
832	2008	WerFault.exe	157
1528	1564	WerFault.exe	160
2124	4200	WerFault.exe	163
2496	1512	WerFault.exe	166
1844	2448	WerFault.exe	169
1984	2712	WerFault.exe	172
4088	3304	WerFault.exe	175
3064	908	WerFault.exe	178
4652	3448	WerFault.exe	181
736	4808	WerFault.exe	184
3532	4876	WerFault.exe	187
4964	2000	WerFault.exe	190
1864	2408	WerFault.exe	193
2044	3252	WerFault.exe	196
1484	3784	WerFault.exe	199
2976	4780	WerFault.exe	202
4400	5052	WerFault.exe	205
4484	1548	WerFault.exe	208
1312	3292	WerFault.exe	211
2216	3616	WerFault.exe	214
444	4644	WerFault.exe	217
2272	1048	WerFault.exe	220
452	4684	WerFault.exe	223
4056	4884	WerFault.exe	226
2984	768	WerFault.exe	229
2208	3604	WerFault.exe	232
2260	1240	WerFault.exe	235
2080	4384	WerFault.exe	238
3376	3000	WerFault.exe	241
3096	2496	WerFault.exe	244
1940	2448	WerFault.exe	247
4936	1052	WerFault.exe	250
3324	3236	WerFault.exe	253
3980	4024	WerFault.exe	256
3184	3300	WerFault.exe	259
516	4496	WerFault.exe	262
4876	3196	WerFault.exe	265
2000	4740	WerFault.exe	268
1680	4980	WerFault.exe	271
3260	2388	WerFault.exe	274
756	3028	WerFault.exe	277
2976	4192	WerFault.exe	280
3704	1880	WerFault.exe	283
2772	2428	WerFault.exe	286
4484	2424	WerFault.exe	289
3832	2088	WerFault.exe	292
4744	1040	WerFault.exe	295
220	544	WerFault.exe	298

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
4976	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4976	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
4976	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4976	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	100
PID 408 wrote to memory of 4976	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	100
PID 408 wrote to memory of 4976	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	100
PID 408 wrote to memory of 4976	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	100
PID 408 wrote to memory of 4976	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	100
PID 408 wrote to memory of 4976	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	100
PID 408 wrote to memory of 4976	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	100
PID 408 wrote to memory of 4976	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	100
PID 408 wrote to memory of 4352	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	101
PID 408 wrote to memory of 4352	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	101
PID 408 wrote to memory of 4352	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	101
PID 408 wrote to memory of 4352	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	101
PID 408 wrote to memory of 4352	408	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	101
PID 4976 wrote to memory of 2632	4976	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	102
PID 4976 wrote to memory of 2632	4976	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	102
PID 4976 wrote to memory of 2632	4976	e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe	102
PID 2632 wrote to memory of 5100	2632	explorer.exe	104
PID 2632 wrote to memory of 5100	2632	explorer.exe	104
PID 2632 wrote to memory of 5100	2632	explorer.exe	104
PID 2632 wrote to memory of 5100	2632	explorer.exe	104
PID 2632 wrote to memory of 5100	2632	explorer.exe	104
PID 2632 wrote to memory of 5100	2632	explorer.exe	104
PID 2632 wrote to memory of 5100	2632	explorer.exe	104
PID 2632 wrote to memory of 5100	2632	explorer.exe	104
PID 2632 wrote to memory of 5096	2632	explorer.exe	105
PID 2632 wrote to memory of 5096	2632	explorer.exe	105
PID 2632 wrote to memory of 5096	2632	explorer.exe	105
PID 2632 wrote to memory of 5096	2632	explorer.exe	105
PID 2632 wrote to memory of 5096	2632	explorer.exe	105
PID 5100 wrote to memory of 3076	5100	explorer.exe	106
PID 5100 wrote to memory of 3076	5100	explorer.exe	106
PID 5100 wrote to memory of 3076	5100	explorer.exe	106
PID 5100 wrote to memory of 2748	5100	explorer.exe	107
PID 5100 wrote to memory of 2748	5100	explorer.exe	107
PID 5100 wrote to memory of 2748	5100	explorer.exe	107
PID 5100 wrote to memory of 1268	5100	explorer.exe	112
PID 5100 wrote to memory of 1268	5100	explorer.exe	112
PID 5100 wrote to memory of 1268	5100	explorer.exe	112
PID 5100 wrote to memory of 3348	5100	explorer.exe	115
PID 5100 wrote to memory of 3348	5100	explorer.exe	115
PID 5100 wrote to memory of 3348	5100	explorer.exe	115
PID 5100 wrote to memory of 1348	5100	explorer.exe	118
PID 5100 wrote to memory of 1348	5100	explorer.exe	118
PID 5100 wrote to memory of 1348	5100	explorer.exe	118
PID 5100 wrote to memory of 5016	5100	explorer.exe	121
PID 5100 wrote to memory of 5016	5100	explorer.exe	121
PID 5100 wrote to memory of 5016	5100	explorer.exe	121
PID 5100 wrote to memory of 2756	5100	explorer.exe	124
PID 5100 wrote to memory of 2756	5100	explorer.exe	124
PID 5100 wrote to memory of 2756	5100	explorer.exe	124
PID 5100 wrote to memory of 1540	5100	explorer.exe	127
PID 5100 wrote to memory of 1540	5100	explorer.exe	127
PID 5100 wrote to memory of 1540	5100	explorer.exe	127
PID 5100 wrote to memory of 1096	5100	explorer.exe	130
PID 5100 wrote to memory of 1096	5100	explorer.exe	130
PID 5100 wrote to memory of 1096	5100	explorer.exe	130
PID 5100 wrote to memory of 804	5100	explorer.exe	133
PID 5100 wrote to memory of 804	5100	explorer.exe	133
PID 5100 wrote to memory of 804	5100	explorer.exe	133
PID 5100 wrote to memory of 4800	5100	explorer.exe	136
PID 5100 wrote to memory of 4800	5100	explorer.exe	136
PID 5100 wrote to memory of 4800	5100	explorer.exe	136
PID 5100 wrote to memory of 3588	5100	explorer.exe	139
PID 5100 wrote to memory of 3588	5100	explorer.exe	139

C:\Users\Admin\AppData\Local\Temp\e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
"C:\Users\Admin\AppData\Local\Temp\e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Local\Temp\e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe
  "C:\Users\Admin\AppData\Local\Temp\e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4976
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 192
        6⤵
        Program crash
        
        PID:4360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1268
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 192
        6⤵
        Program crash
        
        PID:5008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 192
        6⤵
        Program crash
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 192
        6⤵
        Program crash
        
        PID:628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5016
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 192
        6⤵
        Program crash
        
        PID:2372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 192
        6⤵
        Program crash
        
        PID:2916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 192
        6⤵
        Program crash
        
        PID:1856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 192
        6⤵
        Program crash
        
        PID:4408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:804
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 192
        6⤵
        Program crash
        
        PID:3952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 192
        6⤵
        Program crash
        
        PID:2960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 192
        6⤵
        Program crash
        
        PID:2056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:232
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 192
        6⤵
        Program crash
        
        PID:2296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 192
        6⤵
        Program crash
        
        PID:1308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 192
        6⤵
        Program crash
        
        PID:640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 192
        6⤵
        Program crash
        
        PID:408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 192
        6⤵
        Program crash
        
        PID:1132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 192
        6⤵
        Program crash
        
        PID:832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 192
        6⤵
        Program crash
        
        PID:1528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 192
        6⤵
        Program crash
        
        PID:2124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 192
        6⤵
        Program crash
        
        PID:2496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 192
        6⤵
        Program crash
        
        PID:1844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 192
        6⤵
        Program crash
        
        PID:1984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 192
        6⤵
        Program crash
        
        PID:4088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 192
        6⤵
        Program crash
        
        PID:3064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 192
        6⤵
        Program crash
        
        PID:4652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 192
        6⤵
        Program crash
        
        PID:736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 192
        6⤵
        Program crash
        
        PID:3532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 192
        6⤵
        Program crash
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2408
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 192
        6⤵
        Program crash
        
        PID:1864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3252
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 192
        6⤵
        Program crash
        
        PID:2044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3784
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 192
        6⤵
        Program crash
        
        PID:1484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 192
        6⤵
        Program crash
        
        PID:2976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 192
        6⤵
        Program crash
        
        PID:4400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 192
        6⤵
        Program crash
        
        PID:4484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 192
        6⤵
        Program crash
        
        PID:1312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 192
        6⤵
        Program crash
        
        PID:2216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 192
        6⤵
        Program crash
        
        PID:444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 192
        6⤵
        Program crash
        
        PID:2272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4684
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 192
        6⤵
        Program crash
        
        PID:452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 192
        6⤵
        Program crash
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 192
        6⤵
        Program crash
        
        PID:2984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3604
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 192
        6⤵
        Program crash
        
        PID:2208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 192
        6⤵
        Program crash
        
        PID:2260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 192
        6⤵
        Program crash
        
        PID:2080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 192
        6⤵
        Program crash
        
        PID:3376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 192
        6⤵
        Program crash
        
        PID:3096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 192
        6⤵
        Program crash
        
        PID:1940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 192
        6⤵
        Program crash
        
        PID:4936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3236
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 192
        6⤵
        Program crash
        
        PID:3324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 192
        6⤵
        Program crash
        
        PID:3980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3300
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 192
        6⤵
        Program crash
        
        PID:3184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 192
        6⤵
        Program crash
        
        PID:516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 192
        6⤵
        Program crash
        
        PID:4876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 192
        6⤵
        Program crash
        
        PID:2000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 192
        6⤵
        Program crash
        
        PID:1680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2388
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 192
        6⤵
        Program crash
        
        PID:3260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 192
        6⤵
        Program crash
        
        PID:756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 192
        6⤵
        Program crash
        
        PID:2976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 192
        6⤵
        Program crash
        
        PID:3704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 192
        6⤵
        Program crash
        
        PID:2772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 192
        6⤵
        Program crash
        
        PID:4484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 192
        6⤵
        Program crash
        
        PID:3832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 192
        6⤵
        Program crash
        
        PID:4744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 192
        6⤵
        Program crash
        
        PID:220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 192
        6⤵
        
        PID:444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 192
        6⤵
        
        PID:3816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 192
        6⤵
        
        PID:884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 192
        6⤵
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 192
        6⤵
        
        PID:2072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 192
        6⤵
        
        PID:2812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 192
        6⤵
        
        PID:2924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 192
        6⤵
        
        PID:1476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 192
        6⤵
        
        PID:4880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 192
        6⤵
        
        PID:3580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 192
        6⤵
        
        PID:2740
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:5096
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2748 -ip 2748
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1268 -ip 1268
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3348 -ip 3348
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1348 -ip 1348
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 2756
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1540 -ip 1540
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1096 -ip 1096
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 804 -ip 804
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4800 -ip 4800
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3588 -ip 3588
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 232 -ip 232
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2792 -ip 2792
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4884 -ip 4884
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1820 -ip 1820
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4396 -ip 4396
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2008 -ip 2008
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1564 -ip 1564
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4200 -ip 4200
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1512 -ip 1512
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2448 -ip 2448
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2712 -ip 2712
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3304 -ip 3304
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 908 -ip 908
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3448 -ip 3448
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4808 -ip 4808
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4876 -ip 4876
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2000 -ip 2000
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2408 -ip 2408
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3252 -ip 3252
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3784 -ip 3784
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4780 -ip 4780
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5052 -ip 5052
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1548 -ip 1548
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3292 -ip 3292
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3616 -ip 3616
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4644 -ip 4644
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1048 -ip 1048
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4684 -ip 4684
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4884 -ip 4884
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 768 -ip 768
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 3604
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1240 -ip 1240
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4384 -ip 4384
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3000 -ip 3000
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2496 -ip 2496
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2448 -ip 2448
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1052 -ip 1052
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3236 -ip 3236
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4024 -ip 4024
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3300 -ip 3300
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4496 -ip 4496
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3196 -ip 3196
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4740 -ip 4740
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4980 -ip 4980
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2388 -ip 2388
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3028 -ip 3028
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4192 -ip 4192
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1880 -ip 1880
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2428 -ip 2428
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2424 -ip 2424
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2088 -ip 2088
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1040 -ip 1040
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 544 -ip 544
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 324 -ip 324
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1628 -ip 1628
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3540 -ip 3540
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1356 -ip 1356
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4056 -ip 4056
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1608 -ip 1608
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2008 -ip 2008
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1528 -ip 1528
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3628 -ip 3628
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4952 -ip 4952
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2324 -ip 2324
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
b6d37eb6b47813c679bde3d4bc6fc2e0

SHA1
ad27fb0e1da7ce89ade7df96dd9ed647eab2c649

SHA256
e48faefa11f17fa9073056dda267fbfc9f94b1b820ee9b62e569758c2ab4ed01

SHA512
fb502039619e86a5fa1636116d66481fe0ad6dc73c1db291471f362acfea4afcaf593c89e73bbe8e1accdcf762c21fdcd47fbac6eb30acdb36946b95fa7286f2

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
c76e54d49e0dd9b4aa6018fc8db9c84e

SHA1
0d48d82e5be00aad96c8362c9744af36c6867aec

SHA256
963f89a555dfd8bd12c4cb1cef20c3ce7151fc78d37a464605aa5989235e488a

SHA512
fbee59285e11ee3549c5998e82522c769d03f13d0294164bb234b62aa7a76e50a51e183dd04baafa7b41f8c3e0409f54a1d8fcd270bedd51a2ab1a8a78a2f047

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
8.2MB

MD5
aaebb0d58d142967c5a8074055b76c57

SHA1
fb8f987bb7388c50e933f16c9fedf2b36b69f8ec

SHA256
cd2fc0a8db078cd9a1e932bcc213f993481556c64582370bceb984177cefac90

SHA512
37ce5f931e1a21b250790f4c999216b7e32bb204b1ab808f0727cd05074151544a44ce8e0290a90d04ab5163c97a1c1d5443c79fda8fd23b385577cd8f132206

Download Submit
memory/408-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/408-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/408-3-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/408-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/408-6-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/408-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/408-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1268-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2632-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2632-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2632-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2632-35-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2632-58-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2748-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2748-69-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3076-83-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3076-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3076-64-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3348-74-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4352-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4352-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4352-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4644-115-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4800-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4884-120-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4976-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5100-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-78-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download