warzonerat | 4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
Size

1.2MB
MD5

11926aa36fab1d20d7087ac5b12c477c
SHA1

640f1e7539b0ea2d7ca0feac961bfdf5d06bc16f
SHA256

4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85
SHA512

ca0c544c1b0298e8541beddbbe730cd9dc45aaf4a81c8d9b885fedfedf493633a98eac62dbb5601d9f08de715d9c079ea1a96b5ff4d03ea98dba0a33432090c9

Score

10^/10

warzonerat xmrig aspackv2 evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 18 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\svchost.exe	warzonerat
C:\Windows\System\svchost.exe	warzonerat

ASPack v2.12-2.42 18 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	aspack_v212_v242
\??\c:\windows\system\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\Disk.sys	aspack_v212_v242
C:\Windows\System\explorer.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
\??\c:\windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
\??\c:\windows\system\svchost.exe	aspack_v212_v242
C:\Windows\System\svchost.exe	aspack_v212_v242

Executes dropped EXE 13 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exe

pid	process
1972	explorer.exe
1560	explorer.exe
1160	spoolsv.exe
1428	spoolsv.exe
2732	spoolsv.exe
2080	spoolsv.exe
2380	spoolsv.exe
3716	spoolsv.exe
1920	spoolsv.exe
2184	spoolsv.exe
4048	spoolsv.exe
3808	spoolsv.exe
2224	svchost.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exe4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 3944 set thread context of 2976	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
PID 3944 set thread context of 3340	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	diskperf.exe
PID 1972 set thread context of 1560	1972	explorer.exe	explorer.exe
PID 1972 set thread context of 3744	1972	explorer.exe	diskperf.exe
PID 1160 set thread context of 2184	1160	spoolsv.exe	spoolsv.exe
PID 1160 set thread context of 1656	1160	spoolsv.exe	diskperf.exe

Drops file in Windows directory 5 IoCs

Processes:

spoolsv.exeexplorer.exe4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
824	1428	WerFault.exe	spoolsv.exe
2472	2732	WerFault.exe	spoolsv.exe
384	2080	WerFault.exe	spoolsv.exe
2268	2380	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2976	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
2976	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
1560	explorer.exe
1560	explorer.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
1560	explorer.exe
1560	explorer.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
1560	explorer.exe
1560	explorer.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1560 explorer.exe

pid	process
1560	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	824	WerFault.exe
Token: SeBackupPrivilege	824	WerFault.exe
Token: SeDebugPrivilege	824	WerFault.exe
Token: SeDebugPrivilege	2472	WerFault.exe
Token: SeDebugPrivilege	384	WerFault.exe
Token: SeDebugPrivilege	2268	WerFault.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exeexplorer.exespoolsv.exe

pid	process
2976	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
2976	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
2184	spoolsv.exe
2184	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 3944 wrote to memory of 2976	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
PID 3944 wrote to memory of 2976	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
PID 3944 wrote to memory of 2976	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
PID 3944 wrote to memory of 2976	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
PID 3944 wrote to memory of 2976	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
PID 3944 wrote to memory of 2976	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
PID 3944 wrote to memory of 2976	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
PID 3944 wrote to memory of 2976	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
PID 3944 wrote to memory of 3340	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	diskperf.exe
PID 3944 wrote to memory of 3340	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	diskperf.exe
PID 3944 wrote to memory of 3340	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	diskperf.exe
PID 3944 wrote to memory of 3340	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	diskperf.exe
PID 3944 wrote to memory of 3340	3944	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	diskperf.exe
PID 2976 wrote to memory of 1972	2976	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	explorer.exe
PID 2976 wrote to memory of 1972	2976	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	explorer.exe
PID 2976 wrote to memory of 1972	2976	4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe	explorer.exe
PID 1972 wrote to memory of 1560	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 1560	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 1560	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 1560	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 1560	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 1560	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 1560	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 1560	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 3744	1972	explorer.exe	diskperf.exe
PID 1972 wrote to memory of 3744	1972	explorer.exe	diskperf.exe
PID 1972 wrote to memory of 3744	1972	explorer.exe	diskperf.exe
PID 1972 wrote to memory of 3744	1972	explorer.exe	diskperf.exe
PID 1972 wrote to memory of 3744	1972	explorer.exe	diskperf.exe
PID 1560 wrote to memory of 1160	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 1160	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 1160	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 1428	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 1428	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 1428	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 2732	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 2732	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 2732	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 2080	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 2080	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 2080	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 2380	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 2380	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 2380	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 3716	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 3716	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 3716	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 1920	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 1920	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 1920	1560	explorer.exe	spoolsv.exe
PID 1160 wrote to memory of 2184	1160	spoolsv.exe	spoolsv.exe
PID 1160 wrote to memory of 2184	1160	spoolsv.exe	spoolsv.exe
PID 1160 wrote to memory of 2184	1160	spoolsv.exe	spoolsv.exe
PID 1160 wrote to memory of 2184	1160	spoolsv.exe	spoolsv.exe
PID 1160 wrote to memory of 2184	1160	spoolsv.exe	spoolsv.exe
PID 1160 wrote to memory of 2184	1160	spoolsv.exe	spoolsv.exe
PID 1160 wrote to memory of 2184	1160	spoolsv.exe	spoolsv.exe
PID 1160 wrote to memory of 2184	1160	spoolsv.exe	spoolsv.exe
PID 1560 wrote to memory of 4048	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 4048	1560	explorer.exe	spoolsv.exe
PID 1560 wrote to memory of 4048	1560	explorer.exe	spoolsv.exe
PID 1160 wrote to memory of 1656	1160	spoolsv.exe	diskperf.exe
PID 1160 wrote to memory of 1656	1160	spoolsv.exe	diskperf.exe
PID 1160 wrote to memory of 1656	1160	spoolsv.exe	diskperf.exe

C:\Users\Admin\AppData\Local\Temp\4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
"C:\Users\Admin\AppData\Local\Temp\4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe
  "C:\Users\Admin\AppData\Local\Temp\4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2976
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        
        PID:2224
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 200
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 200
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 200
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2380
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 200
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3808
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:3744
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
11926aa36fab1d20d7087ac5b12c477c

SHA1
640f1e7539b0ea2d7ca0feac961bfdf5d06bc16f

SHA256
4b2a6f204d228b19015951b7cc6647f0f1eec36f8ff15e534e7ec170981e9d85

SHA512
ca0c544c1b0298e8541beddbbe730cd9dc45aaf4a81c8d9b885fedfedf493633a98eac62dbb5601d9f08de715d9c079ea1a96b5ff4d03ea98dba0a33432090c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
41dbeb0b5971ea95f85b5ee7985c77fc

SHA1
52a18c1951a4a90dc0ff38e515ab6a01a9d7bb84

SHA256
338202a265a396e085a6e8cd96d7f510e8f24140dcfc653775bc47b599755fe4

SHA512
694fbdf134cd2cffa68f594f7de29008a470646227b4d0ad21d475137786442e1ffde23ab24c49c7ed27f94108d1ae2c40388f3b244f55d0627eafb4568c32b9

Download Submit
C:\Windows\System\explorer.exe

MD5
41dbeb0b5971ea95f85b5ee7985c77fc

SHA1
52a18c1951a4a90dc0ff38e515ab6a01a9d7bb84

SHA256
338202a265a396e085a6e8cd96d7f510e8f24140dcfc653775bc47b599755fe4

SHA512
694fbdf134cd2cffa68f594f7de29008a470646227b4d0ad21d475137786442e1ffde23ab24c49c7ed27f94108d1ae2c40388f3b244f55d0627eafb4568c32b9

Download Submit
C:\Windows\System\explorer.exe

MD5
41dbeb0b5971ea95f85b5ee7985c77fc

SHA1
52a18c1951a4a90dc0ff38e515ab6a01a9d7bb84

SHA256
338202a265a396e085a6e8cd96d7f510e8f24140dcfc653775bc47b599755fe4

SHA512
694fbdf134cd2cffa68f594f7de29008a470646227b4d0ad21d475137786442e1ffde23ab24c49c7ed27f94108d1ae2c40388f3b244f55d0627eafb4568c32b9

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
C:\Windows\System\svchost.exe

MD5
a6ee4fe95ba8f157a878f58f84017014

SHA1
bddad8a80d06fff5d2bee48c84c0a0d373f8810d

SHA256
f341119f02ed5e4b70c6ece4d211c3e0fb429134b1789f99ed405b05c34ee748

SHA512
954375d1860606d9718c700bcfb0e8edeeedc9172d5b3a3536b337cadc1b2ee428e6c82fe5f82111ec02a78fcb5a91dcab6775afd9cc7414dc4235c0e49c4a75

Download Submit
\??\c:\windows\system\explorer.exe

MD5
41dbeb0b5971ea95f85b5ee7985c77fc

SHA1
52a18c1951a4a90dc0ff38e515ab6a01a9d7bb84

SHA256
338202a265a396e085a6e8cd96d7f510e8f24140dcfc653775bc47b599755fe4

SHA512
694fbdf134cd2cffa68f594f7de29008a470646227b4d0ad21d475137786442e1ffde23ab24c49c7ed27f94108d1ae2c40388f3b244f55d0627eafb4568c32b9

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
59cb4947aacbe7e802ebfdd05bf0223e

SHA1
51045ac7d13310ca60627210d729b51979f4f6ff

SHA256
7b0a4935459f3e9337ebb250121ce896900f21325c3cce7801acc2a27c5a387c

SHA512
31bddcc6238493cf52744dffc5cbf4130077407fd352807079b3677a59cf88f5f26d909a8635981889f0bb2b90cffbcc70e08f315bce64884227c02c687e2ef5

Download Submit
\??\c:\windows\system\svchost.exe

MD5
a6ee4fe95ba8f157a878f58f84017014

SHA1
bddad8a80d06fff5d2bee48c84c0a0d373f8810d

SHA256
f341119f02ed5e4b70c6ece4d211c3e0fb429134b1789f99ed405b05c34ee748

SHA512
954375d1860606d9718c700bcfb0e8edeeedc9172d5b3a3536b337cadc1b2ee428e6c82fe5f82111ec02a78fcb5a91dcab6775afd9cc7414dc4235c0e49c4a75

Download Submit
memory/1160-144-0x0000000000000000-mapping.dmp

Download
memory/1160-147-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1160-150-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1428-151-0x0000000000000000-mapping.dmp

Download
memory/1560-133-0x0000000000403670-mapping.dmp

Download
memory/1656-171-0x0000000000411000-mapping.dmp

Download
memory/1920-161-0x0000000000000000-mapping.dmp

Download
memory/1972-128-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1972-131-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1972-125-0x0000000000000000-mapping.dmp

Download
memory/2080-155-0x0000000000000000-mapping.dmp

Download
memory/2184-164-0x0000000000403670-mapping.dmp

Download
memory/2224-183-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2224-175-0x0000000000000000-mapping.dmp

Download
memory/2224-180-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2380-157-0x0000000000000000-mapping.dmp

Download
memory/2732-153-0x0000000000000000-mapping.dmp

Download
memory/2976-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-117-0x0000000000403670-mapping.dmp

Download
memory/3340-119-0x0000000000411000-mapping.dmp

Download
memory/3340-118-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3340-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3716-159-0x0000000000000000-mapping.dmp

Download
memory/3744-138-0x0000000000411000-mapping.dmp

Download
memory/3808-174-0x0000000000000000-mapping.dmp

Download
memory/3944-114-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3944-115-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4048-165-0x0000000000000000-mapping.dmp

Download