warzonerat | c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1

Analysis

max time kernel
117s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
Size

1.8MB
MD5

e9ea6107f88718d31e9a0e7f8a0f4874
SHA1

5904f4873bd906f99727ee5c3d19dd65b14b87c4
SHA256

c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1
SHA512

6fcd8e30e4ec24fde839079a58004d1ec63cbb50e804e2ed1572776a92270439e94858c28a497051b55177cbc2d6240cb7914311daf21f598a1421d91dfaedb2
SSDEEP

12288:Q99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSG9dA7W2FeDSIGVH/KIDgm:k1gg4CppEI6GGfWDkMQDbGV6eH8tk3

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1924	explorer.exe
4112	explorer.exe
4776	spoolsv.exe
3360	spoolsv.exe
908	spoolsv.exe
1820	spoolsv.exe
4740	spoolsv.exe
2660	spoolsv.exe
4656	spoolsv.exe
4824	spoolsv.exe
5044	spoolsv.exe
4720	spoolsv.exe
4576	spoolsv.exe
3744	spoolsv.exe
5108	spoolsv.exe
692	spoolsv.exe
4648	spoolsv.exe
1628	spoolsv.exe
3864	spoolsv.exe
4272	spoolsv.exe
3464	spoolsv.exe
2784	spoolsv.exe
1544	spoolsv.exe
2396	spoolsv.exe
220	spoolsv.exe
1828	spoolsv.exe
3756	spoolsv.exe
4364	spoolsv.exe
2716	spoolsv.exe
1676	spoolsv.exe
3724	spoolsv.exe
228	spoolsv.exe
2320	spoolsv.exe
4632	spoolsv.exe
2724	spoolsv.exe
3588	spoolsv.exe
1616	spoolsv.exe
1916	spoolsv.exe
1664	spoolsv.exe
1864	spoolsv.exe
3476	spoolsv.exe
3976	spoolsv.exe
720	spoolsv.exe
4504	spoolsv.exe
4492	spoolsv.exe
2848	spoolsv.exe
4792	spoolsv.exe
1940	spoolsv.exe
3220	spoolsv.exe
2576	spoolsv.exe
3836	spoolsv.exe
4624	spoolsv.exe
4884	spoolsv.exe
2560	spoolsv.exe
464	spoolsv.exe
2788	spoolsv.exe
3500	spoolsv.exe
2860	spoolsv.exe
4908	spoolsv.exe
4076	spoolsv.exe
4516	spoolsv.exe
1084	spoolsv.exe
2176	spoolsv.exe
1680	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exeexplorer.exe

description	pid	process	target process
PID 1296 set thread context of 1772	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
PID 1296 set thread context of 4972	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	diskperf.exe
PID 1924 set thread context of 4112	1924	explorer.exe	explorer.exe

Drops file in Windows directory 3 IoCs

Processes:

explorer.exec9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exeexplorer.exe

pid	process
1772	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
1772	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exeexplorer.exe

pid	process
1772	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
1772	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exec9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1296 wrote to memory of 1772	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
PID 1296 wrote to memory of 1772	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
PID 1296 wrote to memory of 1772	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
PID 1296 wrote to memory of 1772	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
PID 1296 wrote to memory of 1772	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
PID 1296 wrote to memory of 1772	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
PID 1296 wrote to memory of 1772	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
PID 1296 wrote to memory of 1772	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
PID 1296 wrote to memory of 4972	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	diskperf.exe
PID 1296 wrote to memory of 4972	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	diskperf.exe
PID 1296 wrote to memory of 4972	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	diskperf.exe
PID 1296 wrote to memory of 4972	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	diskperf.exe
PID 1296 wrote to memory of 4972	1296	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	diskperf.exe
PID 1772 wrote to memory of 1924	1772	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	explorer.exe
PID 1772 wrote to memory of 1924	1772	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	explorer.exe
PID 1772 wrote to memory of 1924	1772	c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe	explorer.exe
PID 1924 wrote to memory of 4112	1924	explorer.exe	explorer.exe
PID 1924 wrote to memory of 4112	1924	explorer.exe	explorer.exe
PID 1924 wrote to memory of 4112	1924	explorer.exe	explorer.exe
PID 1924 wrote to memory of 4112	1924	explorer.exe	explorer.exe
PID 1924 wrote to memory of 4112	1924	explorer.exe	explorer.exe
PID 1924 wrote to memory of 4112	1924	explorer.exe	explorer.exe
PID 1924 wrote to memory of 4112	1924	explorer.exe	explorer.exe
PID 1924 wrote to memory of 4112	1924	explorer.exe	explorer.exe
PID 1924 wrote to memory of 748	1924	explorer.exe	diskperf.exe
PID 1924 wrote to memory of 748	1924	explorer.exe	diskperf.exe
PID 1924 wrote to memory of 748	1924	explorer.exe	diskperf.exe
PID 4112 wrote to memory of 4776	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4776	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4776	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 3360	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 3360	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 3360	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 908	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 908	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 908	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 1820	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 1820	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 1820	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4740	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4740	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4740	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 2660	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 2660	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 2660	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4656	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4656	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4656	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4824	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4824	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4824	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 5044	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 5044	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 5044	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4720	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4720	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4720	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4576	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4576	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 4576	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 3744	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 3744	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 3744	4112	explorer.exe	spoolsv.exe
PID 4112 wrote to memory of 5108	4112	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
"C:\Users\Admin\AppData\Local\Temp\c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe
"C:\Users\Admin\AppData\Local\Temp\c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1924

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:4972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
1.8MB

MD5
e9ea6107f88718d31e9a0e7f8a0f4874

SHA1
5904f4873bd906f99727ee5c3d19dd65b14b87c4

SHA256
c9dd53c61d7675d933dfd72f5f8e426d5557009b7cb41f0d8ed06b1ee78814b1

SHA512
6fcd8e30e4ec24fde839079a58004d1ec63cbb50e804e2ed1572776a92270439e94858c28a497051b55177cbc2d6240cb7914311daf21f598a1421d91dfaedb2

Download Submit
C:\Windows\System\explorer.exe
Filesize
1.8MB

MD5
b66895973c5ed3b22c7d2b42f737b9a2

SHA1
c400806d085486ed93192ded4c21efa80a77138b

SHA256
982d5d20c54c6defbbb7606d72f0da8507f41401b665bb03a5f4f15aef19dffb

SHA512
ffed92c81f6155ae5eedc4182114758cb89454ca4cffd14270f52417f67c2826872f20a8940f8442b59db5966d1afd27063816ad4ef3fe284f96e52e137d2535

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
1.8MB

MD5
a1550e25c8ce6cd98795eab301293b0b

SHA1
c3f1286dad94135603e55dfb015c378beb87a5a1

SHA256
0c34cfabf3adc10f65d5a38574b7f09da3190abd9fc1302a77e586c348f96766

SHA512
7d14bca9af25bd3e049ceacca6ee2ce342407a1482a63a6cb07009db5b985eed09502bd586c083f1290be03433715b45ae4d70dec499b75a1a61d817222310f9

Download Submit
memory/692-118-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/692-114-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/692-98-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/908-71-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/908-53-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/908-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1296-1-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1296-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1296-14-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1296-3-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1296-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1628-104-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1772-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1772-25-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/1772-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1772-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-75-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1820-76-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1820-55-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1924-38-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1924-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1924-24-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1924-27-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1924-28-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2660-63-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2660-85-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2660-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3360-67-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3360-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3360-51-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3464-117-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3464-119-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3744-89-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/3744-108-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/3744-106-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3864-107-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3864-109-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4112-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4112-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4272-115-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4272-112-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4576-86-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4576-103-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4576-100-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4648-101-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/4656-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4656-68-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4656-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4720-82-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4720-97-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4720-80-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4740-57-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4740-81-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4740-79-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4740-59-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4776-47-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4776-61-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4776-62-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4824-91-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4824-73-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4824-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4972-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4972-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4972-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5044-96-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/5044-95-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5044-77-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/5108-111-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5108-113-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/5108-93-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/5108-92-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download