warzonerat | 021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
Size

8.2MB
MD5

bbad0d0174334cf90ed6d1ba88fbbcd0
SHA1

6c3bc5b3ffd9cbc77a8b253971211a6e68053287
SHA256

021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36
SHA512

d4b923b672f4a4aea10b343a3d42fa33f6a44d3cd850e452a7d78bed716c9ae059c816797845ca0393abf08ca7681c55a664d727088b36832f7907c1a24b08ce
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNec1:V8e8e8f8e8e8+

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023cb0-26.dat	warzonerat
behavioral2/files/0x0008000000023cae-45.dat	warzonerat
behavioral2/files/0x0003000000021ee0-62.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023cb0-26.dat	aspack_v212_v242
behavioral2/files/0x0008000000023cae-45.dat	aspack_v212_v242
behavioral2/files/0x0003000000021ee0-62.dat	aspack_v212_v242

Executes dropped EXE 64 IoCs

pid	Process
516	explorer.exe
3592	explorer.exe
3620	spoolsv.exe
1084	spoolsv.exe
4576	spoolsv.exe
4460	spoolsv.exe
1020	spoolsv.exe
3828	spoolsv.exe
4892	spoolsv.exe
4316	spoolsv.exe
4436	spoolsv.exe
1800	spoolsv.exe
3404	spoolsv.exe
752	spoolsv.exe
2796	spoolsv.exe
1248	spoolsv.exe
1128	spoolsv.exe
2844	spoolsv.exe
3332	spoolsv.exe
3364	spoolsv.exe
3976	spoolsv.exe
4324	spoolsv.exe
1192	spoolsv.exe
3012	spoolsv.exe
1644	spoolsv.exe
2504	spoolsv.exe
3372	spoolsv.exe
1828	spoolsv.exe
4444	spoolsv.exe
4280	spoolsv.exe
2364	spoolsv.exe
1732	spoolsv.exe
4208	spoolsv.exe
1720	spoolsv.exe
1020	spoolsv.exe
2032	spoolsv.exe
4892	spoolsv.exe
4464	spoolsv.exe
3992	spoolsv.exe
3924	spoolsv.exe
4024	spoolsv.exe
1600	spoolsv.exe
1620	spoolsv.exe
980	spoolsv.exe
1128	spoolsv.exe
3568	spoolsv.exe
3332	spoolsv.exe
5108	spoolsv.exe
4656	spoolsv.exe
4852	spoolsv.exe
2336	spoolsv.exe
4352	spoolsv.exe
1924	spoolsv.exe
3972	spoolsv.exe
3372	spoolsv.exe
1828	spoolsv.exe
4444	spoolsv.exe
4280	spoolsv.exe
2364	spoolsv.exe
3968	spoolsv.exe
4772	spoolsv.exe
1720	spoolsv.exe
4668	spoolsv.exe
1836	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 5024	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	98
PID 1884 set thread context of 3328	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	99
PID 516 set thread context of 3592	516	explorer.exe	101
PID 516 set thread context of 64	516	explorer.exe	102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3616	1084	WerFault.exe	104
2644	4576	WerFault.exe	109
4812	4460	WerFault.exe	112
1492	1020	WerFault.exe	115
1548	3828	WerFault.exe	118
4984	4892	WerFault.exe	121
800	4316	WerFault.exe	124
4484	4436	WerFault.exe	127
3504	1800	WerFault.exe	130
4776	3404	WerFault.exe	133
4136	752	WerFault.exe	136
988	2796	WerFault.exe	139
3424	1248	WerFault.exe	142
1652	1128	WerFault.exe	145
2204	2844	WerFault.exe	148
1572	3332	WerFault.exe	151
3776	3364	WerFault.exe	154
2476	3976	WerFault.exe	157
2708	4324	WerFault.exe	160
640	1192	WerFault.exe	163
1388	3012	WerFault.exe	166
2944	1644	WerFault.exe	169
4012	2504	WerFault.exe	172
3692	3372	WerFault.exe	175
2920	1828	WerFault.exe	178
2516	4444	WerFault.exe	181
4112	4280	WerFault.exe	184
4600	2364	WerFault.exe	187
2644	1732	WerFault.exe	190
4812	4208	WerFault.exe	193
316	1720	WerFault.exe	196
4556	1020	WerFault.exe	199
3492	2032	WerFault.exe	202
4904	4892	WerFault.exe	205
1796	4464	WerFault.exe	208
3760	3992	WerFault.exe	211
692	3924	WerFault.exe	214
2356	4024	WerFault.exe	217
3060	1600	WerFault.exe	220
1864	1620	WerFault.exe	223
840	980	WerFault.exe	226
412	1128	WerFault.exe	229
2904	3568	WerFault.exe	232
1292	3332	WerFault.exe	235
1576	5108	WerFault.exe	238
3448	4656	WerFault.exe	241
1596	4852	WerFault.exe	244
2172	2336	WerFault.exe	247
404	4352	WerFault.exe	250
1992	1924	WerFault.exe	253
4536	3972	WerFault.exe	256
724	3372	WerFault.exe	259
684	1828	WerFault.exe	262
1240	4444	WerFault.exe	265
3660	4280	WerFault.exe	268
2932	2364	WerFault.exe	271
4368	3968	WerFault.exe	274
3836	4772	WerFault.exe	277
3056	1720	WerFault.exe	280
1656	4668	WerFault.exe	283
3492	1836	WerFault.exe	286
4016	1320	WerFault.exe	289
3780	1096	WerFault.exe	292
2800	4932	WerFault.exe	295

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
5024	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5024	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
5024	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 5024	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	98
PID 1884 wrote to memory of 5024	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	98
PID 1884 wrote to memory of 5024	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	98
PID 1884 wrote to memory of 5024	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	98
PID 1884 wrote to memory of 5024	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	98
PID 1884 wrote to memory of 5024	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	98
PID 1884 wrote to memory of 5024	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	98
PID 1884 wrote to memory of 5024	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	98
PID 1884 wrote to memory of 3328	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	99
PID 1884 wrote to memory of 3328	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	99
PID 1884 wrote to memory of 3328	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	99
PID 1884 wrote to memory of 3328	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	99
PID 1884 wrote to memory of 3328	1884	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	99
PID 5024 wrote to memory of 516	5024	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	100
PID 5024 wrote to memory of 516	5024	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	100
PID 5024 wrote to memory of 516	5024	021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe	100
PID 516 wrote to memory of 3592	516	explorer.exe	101
PID 516 wrote to memory of 3592	516	explorer.exe	101
PID 516 wrote to memory of 3592	516	explorer.exe	101
PID 516 wrote to memory of 3592	516	explorer.exe	101
PID 516 wrote to memory of 3592	516	explorer.exe	101
PID 516 wrote to memory of 3592	516	explorer.exe	101
PID 516 wrote to memory of 3592	516	explorer.exe	101
PID 516 wrote to memory of 3592	516	explorer.exe	101
PID 516 wrote to memory of 64	516	explorer.exe	102
PID 516 wrote to memory of 64	516	explorer.exe	102
PID 516 wrote to memory of 64	516	explorer.exe	102
PID 516 wrote to memory of 64	516	explorer.exe	102
PID 516 wrote to memory of 64	516	explorer.exe	102
PID 3592 wrote to memory of 3620	3592	explorer.exe	103
PID 3592 wrote to memory of 3620	3592	explorer.exe	103
PID 3592 wrote to memory of 3620	3592	explorer.exe	103
PID 3592 wrote to memory of 1084	3592	explorer.exe	104
PID 3592 wrote to memory of 1084	3592	explorer.exe	104
PID 3592 wrote to memory of 1084	3592	explorer.exe	104
PID 3592 wrote to memory of 4576	3592	explorer.exe	109
PID 3592 wrote to memory of 4576	3592	explorer.exe	109
PID 3592 wrote to memory of 4576	3592	explorer.exe	109
PID 3592 wrote to memory of 4460	3592	explorer.exe	112
PID 3592 wrote to memory of 4460	3592	explorer.exe	112
PID 3592 wrote to memory of 4460	3592	explorer.exe	112
PID 3592 wrote to memory of 1020	3592	explorer.exe	115
PID 3592 wrote to memory of 1020	3592	explorer.exe	115
PID 3592 wrote to memory of 1020	3592	explorer.exe	115
PID 3592 wrote to memory of 3828	3592	explorer.exe	118
PID 3592 wrote to memory of 3828	3592	explorer.exe	118
PID 3592 wrote to memory of 3828	3592	explorer.exe	118
PID 3592 wrote to memory of 4892	3592	explorer.exe	121
PID 3592 wrote to memory of 4892	3592	explorer.exe	121
PID 3592 wrote to memory of 4892	3592	explorer.exe	121
PID 3592 wrote to memory of 4316	3592	explorer.exe	124
PID 3592 wrote to memory of 4316	3592	explorer.exe	124
PID 3592 wrote to memory of 4316	3592	explorer.exe	124
PID 3592 wrote to memory of 4436	3592	explorer.exe	127
PID 3592 wrote to memory of 4436	3592	explorer.exe	127
PID 3592 wrote to memory of 4436	3592	explorer.exe	127
PID 3592 wrote to memory of 1800	3592	explorer.exe	130
PID 3592 wrote to memory of 1800	3592	explorer.exe	130
PID 3592 wrote to memory of 1800	3592	explorer.exe	130
PID 3592 wrote to memory of 3404	3592	explorer.exe	133
PID 3592 wrote to memory of 3404	3592	explorer.exe	133
PID 3592 wrote to memory of 3404	3592	explorer.exe	133
PID 3592 wrote to memory of 752	3592	explorer.exe	136
PID 3592 wrote to memory of 752	3592	explorer.exe	136

C:\Users\Admin\AppData\Local\Temp\021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
"C:\Users\Admin\AppData\Local\Temp\021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe
  "C:\Users\Admin\AppData\Local\Temp\021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5024
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:516
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 192
        6⤵
        Program crash
        
        PID:3616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 192
        6⤵
        Program crash
        
        PID:2644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 192
        6⤵
        Program crash
        
        PID:4812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1020
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 192
        6⤵
        Program crash
        
        PID:1492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3828
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 192
        6⤵
        Program crash
        
        PID:1548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 192
        6⤵
        Program crash
        
        PID:4984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 192
        6⤵
        Program crash
        
        PID:800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 192
        6⤵
        Program crash
        
        PID:4484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 192
        6⤵
        Program crash
        
        PID:3504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 192
        6⤵
        Program crash
        
        PID:4776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 192
        6⤵
        Program crash
        
        PID:4136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 200
        6⤵
        Program crash
        
        PID:988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 192
        6⤵
        Program crash
        
        PID:3424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 192
        6⤵
        Program crash
        
        PID:1652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 192
        6⤵
        Program crash
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 192
        6⤵
        Program crash
        
        PID:1572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 192
        6⤵
        Program crash
        
        PID:3776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 192
        6⤵
        Program crash
        
        PID:2476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 192
        6⤵
        Program crash
        
        PID:2708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 192
        6⤵
        Program crash
        
        PID:640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 192
        6⤵
        Program crash
        
        PID:1388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 192
        6⤵
        Program crash
        
        PID:2944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 192
        6⤵
        Program crash
        
        PID:4012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 192
        6⤵
        Program crash
        
        PID:3692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1828
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 192
        6⤵
        Program crash
        
        PID:2920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4444
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 192
        6⤵
        Program crash
        
        PID:2516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 192
        6⤵
        Program crash
        
        PID:4112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 192
        6⤵
        Program crash
        
        PID:4600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 192
        6⤵
        Program crash
        
        PID:2644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 192
        6⤵
        Program crash
        
        PID:4812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 192
        6⤵
        Program crash
        
        PID:316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1020
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 192
        6⤵
        Program crash
        
        PID:4556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 192
        6⤵
        Program crash
        
        PID:3492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 192
        6⤵
        Program crash
        
        PID:4904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 200
        6⤵
        Program crash
        
        PID:1796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 192
        6⤵
        Program crash
        
        PID:3760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 192
        6⤵
        Program crash
        
        PID:692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 192
        6⤵
        Program crash
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 192
        6⤵
        Program crash
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 192
        6⤵
        Program crash
        
        PID:1864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 192
        6⤵
        Program crash
        
        PID:840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 192
        6⤵
        Program crash
        
        PID:412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 192
        6⤵
        Program crash
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 192
        6⤵
        Program crash
        
        PID:1292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 192
        6⤵
        Program crash
        
        PID:1576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 192
        6⤵
        Program crash
        
        PID:3448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 192
        6⤵
        Program crash
        
        PID:1596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 192
        6⤵
        Program crash
        
        PID:2172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 192
        6⤵
        Program crash
        
        PID:404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 192
        6⤵
        Program crash
        
        PID:1992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 192
        6⤵
        Program crash
        
        PID:4536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 192
        6⤵
        Program crash
        
        PID:724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1828
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 192
        6⤵
        Program crash
        
        PID:684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4444
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 192
        6⤵
        Program crash
        
        PID:1240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 192
        6⤵
        Program crash
        
        PID:3660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 192
        6⤵
        Program crash
        
        PID:2932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3968
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 192
        6⤵
        Program crash
        
        PID:4368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 192
        6⤵
        Program crash
        
        PID:3836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 192
        6⤵
        Program crash
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 192
        6⤵
        Program crash
        
        PID:1656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1836
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 192
        6⤵
        Program crash
        
        PID:3492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1320
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 192
        6⤵
        Program crash
        
        PID:4016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 192
        6⤵
        Program crash
        
        PID:3780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 192
        6⤵
        Program crash
        
        PID:2800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 192
        6⤵
        
        PID:5048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 192
        6⤵
        
        PID:5016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 192
        6⤵
        
        PID:5032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 192
        6⤵
        
        PID:4616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 192
        6⤵
        
        PID:3240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 192
        6⤵
        
        PID:3268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:896
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 192
        6⤵
        
        PID:1216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 192
        6⤵
        
        PID:4816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 192
        6⤵
        
        PID:452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 192
        6⤵
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 192
        6⤵
        
        PID:4656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 192
        6⤵
        
        PID:4032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1388
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 192
        6⤵
        
        PID:2172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2756
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:64
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1084 -ip 1084
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4576 -ip 4576
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4460 -ip 4460
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1020 -ip 1020
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3828 -ip 3828
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4892 -ip 4892
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4316 -ip 4316
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4436 -ip 4436
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1800 -ip 1800
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3404 -ip 3404
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 752 -ip 752
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2796 -ip 2796
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1248 -ip 1248
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1128 -ip 1128
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2844 -ip 2844
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3332 -ip 3332
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3364 -ip 3364
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3976 -ip 3976
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4324 -ip 4324
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1192 -ip 1192
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3012 -ip 3012
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1644 -ip 1644
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2504 -ip 2504
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3372 -ip 3372
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 1828
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4444 -ip 4444
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4280 -ip 4280
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2364 -ip 2364
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1732 -ip 1732
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4208 -ip 4208
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1720 -ip 1720
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1020 -ip 1020
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2032 -ip 2032
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4892 -ip 4892
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4464 -ip 4464
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3992 -ip 3992
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3924 -ip 3924
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4024 -ip 4024
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1600 -ip 1600
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1620 -ip 1620
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 980 -ip 980
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1128 -ip 1128
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3568 -ip 3568
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3332 -ip 3332
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5108 -ip 5108
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4656 -ip 4656
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4852 -ip 4852
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2336 -ip 2336
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4352 -ip 4352
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1924 -ip 1924
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3972 -ip 3972
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3372 -ip 3372
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 1828
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4444 -ip 4444
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4280 -ip 4280
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2364 -ip 2364
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3968 -ip 3968
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4772 -ip 4772
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1720 -ip 1720
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4668 -ip 4668
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1836 -ip 1836
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1320 -ip 1320
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1096 -ip 1096
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4932 -ip 4932
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3504 -ip 3504
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3404 -ip 3404
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3888 -ip 3888
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3060 -ip 3060
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1864 -ip 1864
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1116 -ip 1116
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 896 -ip 896
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 400 -ip 400
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3688 -ip 3688
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3976 -ip 3976
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1676 -ip 1676
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2768 -ip 2768
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1388 -ip 1388
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2756 -ip 2756
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
bbad0d0174334cf90ed6d1ba88fbbcd0

SHA1
6c3bc5b3ffd9cbc77a8b253971211a6e68053287

SHA256
021dd782c1aa99d4a6bd4fd57a843a2fdc7b63820ae41e6157b9baaf7ac3fa36

SHA512
d4b923b672f4a4aea10b343a3d42fa33f6a44d3cd850e452a7d78bed716c9ae059c816797845ca0393abf08ca7681c55a664d727088b36832f7907c1a24b08ce

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
5949f9855d5d503d86587dba9dc09e8d

SHA1
0d26355eb17efa6f0c4c918dfdceda35fbad0d4e

SHA256
be3eaa11f0123ac736ea1d9d6381083d0b0ff24e2776a5ba7788bedb968f00ca

SHA512
f4b4ef054178ccd08051190ad25e68d4ade1d191c0a50867c07c91fe5aaf379b7e5c05340ca7db2f27f24582007914fbda458700bb12a73cc00a6ec96d583de0

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
a3d89ac5a1f61a73b9f6c896a4dc07c3

SHA1
40fbb4d42a1e8b905d390fe78aba202c74613a77

SHA256
d6c2c1250ed16197d021ee30b2fb2eaa350454c274f8c2935a2805fce03dac96

SHA512
16fc23ed6ff3c238c6862b8b143cb2be687a2ecfe68f587884404c2fb25100e762306c7e61b5774f716cffc2bf4d4e61478531fba26e9503015263b8d50e7e4d

Download Submit
memory/64-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/516-36-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/516-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/516-58-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/516-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/516-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1084-69-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1084-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1600-117-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1800-82-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-6-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1884-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1884-3-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/3328-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3328-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3328-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3592-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3592-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3620-64-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3620-81-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4464-111-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4576-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5024-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-33-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/5024-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download