warzonerat | c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86

Analysis

max time kernel
160s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
Size

1.2MB
MD5

e25c1780e19f0f96ece4f8186183a183
SHA1

82c34c7a3e75f25d7efa6fbc74221e725ba132c6
SHA256

c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86
SHA512

2eb00b9df4605fc05553a784a7c6c784e4eb79930a1e54b81c30983df925bcddf7cda5536d4c8a57e9156b32a8494815317032c64e37cfa70c0873104ba8e337
SSDEEP

12288:OIbsBDU0I6+Tu0TJ0N1oYgNOFDA7W2FeDSIGVH/KIDgDgUeHbY11kR:OIbGD2JTu0GoZQDbGV6eH81kR

Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects executables packed with ASPack 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2252-0-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2252-2-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2252-1-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2252-4-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2252-22-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4364-29-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4364-31-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4364-32-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4364-30-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
\??\c:\windows\system\explorer.exe	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4364-36-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4364-56-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
C:\Windows\System\spoolsv.exe	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1552-64-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1552-63-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2860-69-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2860-68-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3192-71-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3192-72-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4520-74-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4520-75-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4520-76-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2220-79-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2220-78-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2836-81-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2836-83-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2836-82-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2140-85-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/656-89-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3300-94-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1100-98-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3104-108-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3988-112-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4644-119-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4644-120-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4644-121-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2516-126-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4636-130-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2356-136-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2776-144-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1640-149-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1264-153-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3568-160-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/32-170-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2300-172-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2432-179-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1840-184-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2360-189-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3032-195-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2016-203-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1796-206-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4888-212-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1688-220-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/368-223-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2028-229-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3612-240-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/684-248-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2348-260-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4016-270-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2244-276-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/5080-281-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1236-290-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2212-294-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\??\c:\windows\system\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4364	explorer.exe
4000	explorer.exe
1552	spoolsv.exe
2860	spoolsv.exe
3192	spoolsv.exe
4520	spoolsv.exe
2220	spoolsv.exe
2836	spoolsv.exe
2140	spoolsv.exe
656	spoolsv.exe
3300	spoolsv.exe
1100	spoolsv.exe
4344	spoolsv.exe
1176	spoolsv.exe
3104	spoolsv.exe
3988	spoolsv.exe
2452	spoolsv.exe
4644	spoolsv.exe
3012	spoolsv.exe
2516	spoolsv.exe
4636	spoolsv.exe
2356	spoolsv.exe
4628	spoolsv.exe
4944	spoolsv.exe
2776	spoolsv.exe
1640	spoolsv.exe
1264	spoolsv.exe
4384	spoolsv.exe
3568	spoolsv.exe
2572	spoolsv.exe
32	spoolsv.exe
2300	spoolsv.exe
2432	spoolsv.exe
1840	spoolsv.exe
2360	spoolsv.exe
1056	spoolsv.exe
3032	spoolsv.exe
2016	spoolsv.exe
1796	spoolsv.exe
4888	spoolsv.exe
1688	spoolsv.exe
368	spoolsv.exe
2028	spoolsv.exe
1528	spoolsv.exe
3612	spoolsv.exe
4472	spoolsv.exe
684	spoolsv.exe
1748	spoolsv.exe
2844	spoolsv.exe
2348	spoolsv.exe
3036	spoolsv.exe
4016	spoolsv.exe
2244	spoolsv.exe
5080	spoolsv.exe
3620	spoolsv.exe
1236	spoolsv.exe
2212	spoolsv.exe
2096	spoolsv.exe
4780	spoolsv.exe
3960	spoolsv.exe
1172	spoolsv.exe
4484	spoolsv.exe
5060	spoolsv.exe
2596	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exeexplorer.exe

description	pid	process	target process
PID 2252 set thread context of 4700	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
PID 2252 set thread context of 2440	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	diskperf.exe
PID 4364 set thread context of 4000	4364	explorer.exe	explorer.exe
PID 4364 set thread context of 996	4364	explorer.exe	diskperf.exe

Drops file in Windows directory 3 IoCs

Processes:

explorer.exec49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exeexplorer.exe

pid	process
4700	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
4700	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

4000 explorer.exe

pid	process
4000	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exeexplorer.exe

pid	process
4700	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
4700	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exec49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2252 wrote to memory of 4700	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
PID 2252 wrote to memory of 4700	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
PID 2252 wrote to memory of 4700	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
PID 2252 wrote to memory of 4700	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
PID 2252 wrote to memory of 4700	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
PID 2252 wrote to memory of 4700	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
PID 2252 wrote to memory of 4700	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
PID 2252 wrote to memory of 4700	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
PID 2252 wrote to memory of 2440	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	diskperf.exe
PID 2252 wrote to memory of 2440	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	diskperf.exe
PID 2252 wrote to memory of 2440	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	diskperf.exe
PID 2252 wrote to memory of 2440	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	diskperf.exe
PID 2252 wrote to memory of 2440	2252	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	diskperf.exe
PID 4700 wrote to memory of 4364	4700	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	explorer.exe
PID 4700 wrote to memory of 4364	4700	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	explorer.exe
PID 4700 wrote to memory of 4364	4700	c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe	explorer.exe
PID 4364 wrote to memory of 4000	4364	explorer.exe	explorer.exe
PID 4364 wrote to memory of 4000	4364	explorer.exe	explorer.exe
PID 4364 wrote to memory of 4000	4364	explorer.exe	explorer.exe
PID 4364 wrote to memory of 4000	4364	explorer.exe	explorer.exe
PID 4364 wrote to memory of 4000	4364	explorer.exe	explorer.exe
PID 4364 wrote to memory of 4000	4364	explorer.exe	explorer.exe
PID 4364 wrote to memory of 4000	4364	explorer.exe	explorer.exe
PID 4364 wrote to memory of 4000	4364	explorer.exe	explorer.exe
PID 4364 wrote to memory of 996	4364	explorer.exe	diskperf.exe
PID 4364 wrote to memory of 996	4364	explorer.exe	diskperf.exe
PID 4364 wrote to memory of 996	4364	explorer.exe	diskperf.exe
PID 4364 wrote to memory of 996	4364	explorer.exe	diskperf.exe
PID 4364 wrote to memory of 996	4364	explorer.exe	diskperf.exe
PID 4000 wrote to memory of 1552	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 1552	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 1552	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2860	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2860	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2860	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 3192	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 3192	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 3192	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 4520	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 4520	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 4520	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2220	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2220	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2220	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2836	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2836	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2836	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2140	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2140	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 2140	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 656	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 656	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 656	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 3300	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 3300	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 3300	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 1100	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 1100	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 1100	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 4344	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 4344	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 4344	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 1176	4000	explorer.exe	spoolsv.exe
PID 4000 wrote to memory of 1176	4000	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
"C:\Users\Admin\AppData\Local\Temp\c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe
"C:\Users\Admin\AppData\Local\Temp\c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:32

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
1.2MB

MD5
e25c1780e19f0f96ece4f8186183a183

SHA1
82c34c7a3e75f25d7efa6fbc74221e725ba132c6

SHA256
c49b3a0169bc9c6cf8faebc57a93ed2686b06553f94f37edf524a98dafd2db86

SHA512
2eb00b9df4605fc05553a784a7c6c784e4eb79930a1e54b81c30983df925bcddf7cda5536d4c8a57e9156b32a8494815317032c64e37cfa70c0873104ba8e337

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.2MB

MD5
74cd3c08771c72e7f305015d18f584a6

SHA1
fa173e32cd348727fd9e721e3d1dc78a8af5123e

SHA256
fee4cad07eccde7e44a9d25d91e8b2890e9061204b3c769ce1c38c3b8d0632af

SHA512
e5d1ff3b441948245f1282d435268f3f58b394b5d45c228e3b4924f32b9deb77905224898f40ec540c83b886e4859e642f957ecdcc0330289c521053f0cb78d6

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
1.2MB

MD5
b3f40bba3e457c2bd59ff9f0ccffb48d

SHA1
59ece5b0d280a2e0b4b976b9cb8ed57d784c6e59

SHA256
89388a73d30b7ad7b59289714f6143166f8db0ab117ac0b912236e55b8e43c0b

SHA512
3ff30d1f599d18ae3a9890ac14f8e3d5b63abff5788582256b0c4d64cdbbf5ea3754f0412c6ba7afa6f8fc1d651ea19a2e9f4d9f509563ef8a86b04389d37f4d

Download Submit
memory/32-170-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/368-223-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/644-366-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/656-89-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/656-434-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/684-248-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/996-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1100-444-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1100-98-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1172-313-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1176-507-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1200-334-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1232-342-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1236-290-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1264-153-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1552-64-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1552-398-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1552-63-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1640-149-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1688-220-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1796-206-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1840-184-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2016-203-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2028-229-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2096-301-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2116-338-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2140-85-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2140-430-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2212-294-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2220-79-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2220-78-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2220-420-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2244-276-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2252-22-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2252-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2252-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2252-3-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2252-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2252-6-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2252-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2300-172-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2348-260-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2356-136-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2360-189-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2432-179-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2440-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2440-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2440-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2516-126-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2596-323-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2776-144-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2836-81-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2836-425-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2836-83-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2836-82-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2860-68-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2860-404-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2860-69-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2904-354-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3032-195-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3104-541-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3104-108-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3128-327-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3184-350-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3192-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3192-409-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3192-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3300-94-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3300-439-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3568-160-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3584-375-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3612-240-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3960-307-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3988-112-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4000-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-270-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4292-362-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4344-475-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4364-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4364-29-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4364-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4364-56-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4364-36-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4364-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4484-317-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4520-76-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4520-75-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4520-74-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4520-418-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4612-346-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4636-130-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4644-121-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4644-119-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4644-120-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4672-358-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4700-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4700-33-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4700-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4700-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-212-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5048-370-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5080-281-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5096-330-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5136-378-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5168-383-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5212-387-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5248-391-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5284-396-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5320-402-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5364-407-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5400-417-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5440-419-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5484-421-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5516-429-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5584-437-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5624-442-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5660-447-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download