warzonerat | 5b09f5b87758a75b32f8c9d756d8987d789e15a8a089ea27a96e69350c6e5942

General

Target

09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
Size

1.2MB
MD5

09102b724d08871b31d9618a5cc78932
SHA1

4217a8ed99a6b822ba9a46b56b1c14c4b0c3719a
SHA256

5b09f5b87758a75b32f8c9d756d8987d789e15a8a089ea27a96e69350c6e5942
SHA512

f5e2ebff372382d497162b36998189faeb135380ec126cb20bff23859eb38c1922440396a669df28293be9052fcfccdcb83fe428e4b4aad97090f91f4a32dbe7
SSDEEP

12288:GIbsBDU0I6+Tu0TJ0N1oYgeOF5A7W2FeDSIGVH/KIDgDgUeHbY1tkn:GIbGD2JTu0GoWQDbGV6eH8tkn

Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\svchost.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\svchost.exe	aspack_v212_v242

Executes dropped EXE 10 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exe

pid	process
2544	explorer.exe
1920	explorer.exe
2020	spoolsv.exe
3052	spoolsv.exe
1100	spoolsv.exe
2168	spoolsv.exe
1860	spoolsv.exe
1400	spoolsv.exe
1628	spoolsv.exe
3032	svchost.exe

Loads dropped DLL 52 IoCs

Processes:

09102b724d08871b31d9618a5cc78932_JaffaCakes118.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exespoolsv.exespoolsv.exe

pid	process
2732	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
2732	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
1920	explorer.exe
1920	explorer.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1920	explorer.exe
1920	explorer.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1920	explorer.exe
1920	explorer.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1920	explorer.exe
1920	explorer.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
2020	spoolsv.exe
1628	spoolsv.exe
1628	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exespoolsv.exe09102b724d08871b31d9618a5cc78932_JaffaCakes118.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

09102b724d08871b31d9618a5cc78932_JaffaCakes118.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2400 set thread context of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 set thread context of 2492	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	diskperf.exe
PID 2544 set thread context of 1920	2544	explorer.exe	explorer.exe
PID 2544 set thread context of 1472	2544	explorer.exe	diskperf.exe
PID 2020 set thread context of 1628	2020	spoolsv.exe	spoolsv.exe
PID 2020 set thread context of 1104	2020	spoolsv.exe	diskperf.exe

Drops file in Windows directory 5 IoCs

Processes:

09102b724d08871b31d9618a5cc78932_JaffaCakes118.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process
2072	3052	WerFault.exe
1684	1100	WerFault.exe	spoolsv.exe
1996	2168	WerFault.exe	spoolsv.exe
1196	1860	WerFault.exe	spoolsv.exe
1532	1400	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

09102b724d08871b31d9618a5cc78932_JaffaCakes118.exeexplorer.exe

pid	process
2732	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1920 explorer.exe

pid	process
1920	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

09102b724d08871b31d9618a5cc78932_JaffaCakes118.exeexplorer.exespoolsv.exe

pid	process
2732	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
2732	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1628	spoolsv.exe
1628	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe09102b724d08871b31d9618a5cc78932_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2400 wrote to memory of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 wrote to memory of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 wrote to memory of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 wrote to memory of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 wrote to memory of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 wrote to memory of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 wrote to memory of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 wrote to memory of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 wrote to memory of 2732	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
PID 2400 wrote to memory of 2492	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	diskperf.exe
PID 2400 wrote to memory of 2492	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	diskperf.exe
PID 2400 wrote to memory of 2492	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	diskperf.exe
PID 2400 wrote to memory of 2492	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	diskperf.exe
PID 2400 wrote to memory of 2492	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	diskperf.exe
PID 2400 wrote to memory of 2492	2400	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	diskperf.exe
PID 2732 wrote to memory of 2544	2732	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	explorer.exe
PID 2732 wrote to memory of 2544	2732	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	explorer.exe
PID 2732 wrote to memory of 2544	2732	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	explorer.exe
PID 2732 wrote to memory of 2544	2732	09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe	explorer.exe
PID 2544 wrote to memory of 1920	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1920	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1920	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1920	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1920	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1920	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1920	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1920	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1920	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1472	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1472	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1472	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1472	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1472	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1472	2544	explorer.exe	diskperf.exe
PID 1920 wrote to memory of 2020	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 2020	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 2020	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 2020	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 3052	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 3052	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 3052	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 3052	1920	explorer.exe	spoolsv.exe
PID 3052 wrote to memory of 2072	3052	spoolsv.exe	WerFault.exe
PID 3052 wrote to memory of 2072	3052	spoolsv.exe	WerFault.exe
PID 3052 wrote to memory of 2072	3052	spoolsv.exe	WerFault.exe
PID 3052 wrote to memory of 2072	3052	spoolsv.exe	WerFault.exe
PID 1920 wrote to memory of 1100	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 1100	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 1100	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 1100	1920	explorer.exe	spoolsv.exe
PID 1100 wrote to memory of 1684	1100	spoolsv.exe	WerFault.exe
PID 1100 wrote to memory of 1684	1100	spoolsv.exe	WerFault.exe
PID 1100 wrote to memory of 1684	1100	spoolsv.exe	WerFault.exe
PID 1100 wrote to memory of 1684	1100	spoolsv.exe	WerFault.exe
PID 1920 wrote to memory of 2168	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 2168	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 2168	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 2168	1920	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1996	2168	spoolsv.exe	WerFault.exe
PID 2168 wrote to memory of 1996	2168	spoolsv.exe	WerFault.exe
PID 2168 wrote to memory of 1996	2168	spoolsv.exe	WerFault.exe
PID 2168 wrote to memory of 1996	2168	spoolsv.exe	WerFault.exe
PID 1920 wrote to memory of 1860	1920	explorer.exe	spoolsv.exe
PID 1920 wrote to memory of 1860	1920	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09102b724d08871b31d9618a5cc78932_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1628

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Executes dropped EXE
PID:3032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:1532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:2492

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
1.2MB

MD5
09102b724d08871b31d9618a5cc78932

SHA1
4217a8ed99a6b822ba9a46b56b1c14c4b0c3719a

SHA256
5b09f5b87758a75b32f8c9d756d8987d789e15a8a089ea27a96e69350c6e5942

SHA512
f5e2ebff372382d497162b36998189faeb135380ec126cb20bff23859eb38c1922440396a669df28293be9052fcfccdcb83fe428e4b4aad97090f91f4a32dbe7

Download Submit
C:\Windows\system\explorer.exe
Filesize
1.2MB

MD5
32e556d58f88833d2e4688e43e8ab773

SHA1
7a05a7ffbb22ccefaa02eee314c4f2cb170ba1f2

SHA256
d4bfcb78e14ea4a2051866493f96d87f7c837d83e10aefbb2a4de0d3effea76f

SHA512
ce5b62547806915b0185a69e12fb611805d7302628b65060e6e2aca9b294edc084d9aa78da93e217e7209e59b807aa7d2f682d607546b183f09877395cf6bc64

Download Submit
\Windows\system\spoolsv.exe
Filesize
1.2MB

MD5
92990e04db13a9d2d26252f505967ff5

SHA1
296bf6fbfb832640e4dde67759f508a16367b76b

SHA256
954bd430f192c1667803475e7f1cb55e7801071326a64b6ae82b1dd63c4a2118

SHA512
8a49fd08d86443bfefe1586ef394373869968ba0eeb8ce35fe14a8df0f3420351664789af8bbbc99e4f658a89a676f653af5511cd96975530d7a5ff1d632eb4c

Download Submit
\Windows\system\svchost.exe
Filesize
1.2MB

MD5
eb43685c94295b8fa72045f0f7b4ad95

SHA1
903f0a1cc835d6654174dffa61d5c8c172a2f689

SHA256
e3a8045fbb999c1f782f130a0a079894e3ce7ee36b797f2a25352a4062fc5c36

SHA512
22791bc9afdc287a3bde1c282f3b5a6d008783195b7ebe552abcc29dea1fa802cebd526b1e8d8fea6a2b5d95dd6fa1b703c73704c1aaa8174181c30fac398c9e

Download Submit
memory/1100-134-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1628-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-235-0x0000000003150000-0x0000000003264000-memory.dmp

Filesize
1.1MB

Download
memory/1920-145-0x0000000003410000-0x0000000003524000-memory.dmp

Filesize
1.1MB

Download
memory/1920-142-0x0000000003410000-0x0000000003524000-memory.dmp

Filesize
1.1MB

Download
memory/1920-126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-172-0x0000000003410000-0x0000000003524000-memory.dmp

Filesize
1.1MB

Download
memory/1920-115-0x0000000003410000-0x0000000003524000-memory.dmp

Filesize
1.1MB

Download
memory/1920-95-0x0000000003410000-0x0000000003524000-memory.dmp

Filesize
1.1MB

Download
memory/1920-101-0x0000000003410000-0x0000000003524000-memory.dmp

Filesize
1.1MB

Download
memory/1920-144-0x0000000003410000-0x0000000003524000-memory.dmp

Filesize
1.1MB

Download
memory/1920-143-0x0000000003410000-0x0000000003524000-memory.dmp

Filesize
1.1MB

Download
memory/2020-103-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-102-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-227-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-128-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-26-0x0000000002FC0000-0x00000000030D4000-memory.dmp

Filesize
1.1MB

Download
memory/2400-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-38-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-6-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2400-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2492-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2492-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2492-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2492-41-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2492-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-53-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2544-54-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2544-59-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2544-57-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2544-50-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2544-52-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2544-86-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2732-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-51-0x0000000003210000-0x0000000003324000-memory.dmp

Filesize
1.1MB

Download
memory/2732-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-49-0x0000000003210000-0x0000000003324000-memory.dmp

Filesize
1.1MB

Download
memory/2732-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-236-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3052-116-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads