warzonerat | a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
Size

1.2MB
MD5

75b35c4297d42c36dd13420ea527fc97
SHA1

f25cf1973dd627c9f8692bde299b21db9946a078
SHA256

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40
SHA512

14269aba39d8fd5785cfcfc55b4266c31e98e62ebb409106d18dba7bc2914c53962fd3c313e8b38384726bc35c1ea03ee7323c5b2bfdf6979baeb5a8e962e780
SSDEEP

12288:GIbsBDU0I6+Tu0TJ0N1oYgeOF5A7W2FeDSIGVH/KIDgDgUeHbY1tkL:GIbGD2JTu0GoWQDbGV6eH8tkL

Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242

Executes dropped EXE 62 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exe

pid	process
2092	explorer.exe
632	explorer.exe
4164	spoolsv.exe
3196	spoolsv.exe
1888	spoolsv.exe
4808	spoolsv.exe
4428	spoolsv.exe
4208	spoolsv.exe
2088	spoolsv.exe
4876	spoolsv.exe
3768	spoolsv.exe
4516	spoolsv.exe
884	spoolsv.exe
2424	spoolsv.exe
3840	spoolsv.exe
1648	spoolsv.exe
4136	spoolsv.exe
4044	spoolsv.exe
2092	spoolsv.exe
1164	spoolsv.exe
4292	spoolsv.exe
448	spoolsv.exe
4808	spoolsv.exe
400	spoolsv.exe
992	spoolsv.exe
1884	spoolsv.exe
1252	spoolsv.exe
4632	spoolsv.exe
216	spoolsv.exe
884	spoolsv.exe
396	spoolsv.exe
3804	spoolsv.exe
4740	spoolsv.exe
3720	spoolsv.exe
4136	spoolsv.exe
4044	spoolsv.exe
2136	spoolsv.exe
4544	spoolsv.exe
684	spoolsv.exe
4292	spoolsv.exe
4628	spoolsv.exe
4360	spoolsv.exe
3800	spoolsv.exe
1696	spoolsv.exe
4156	spoolsv.exe
1544	spoolsv.exe
5116	spoolsv.exe
5016	spoolsv.exe
4356	spoolsv.exe
2412	spoolsv.exe
2616	spoolsv.exe
3840	spoolsv.exe
4604	spoolsv.exe
3492	spoolsv.exe
1076	spoolsv.exe
1944	spoolsv.exe
1172	spoolsv.exe
1164	spoolsv.exe
2024	spoolsv.exe
2336	spoolsv.exe
2304	spoolsv.exe
4808	svchost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exespoolsv.exea339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 1596 set thread context of 4372	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 1596 set thread context of 904	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 2092 set thread context of 632	2092	explorer.exe	explorer.exe
PID 2092 set thread context of 5024	2092	explorer.exe	diskperf.exe
PID 4164 set thread context of 2304	4164	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

spoolsv.exea339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 57 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5108	3196	WerFault.exe	spoolsv.exe
1732	1888	WerFault.exe	spoolsv.exe
4360	4808	WerFault.exe	spoolsv.exe
3556	4428	WerFault.exe	spoolsv.exe
3800	4208	WerFault.exe	spoolsv.exe
3244	2088	WerFault.exe	spoolsv.exe
4168	4876	WerFault.exe	spoolsv.exe
964	3768	WerFault.exe	spoolsv.exe
5016	4516	WerFault.exe	spoolsv.exe
4800	884	WerFault.exe	spoolsv.exe
4436	2424	WerFault.exe	spoolsv.exe
2104	3840	WerFault.exe	spoolsv.exe
4604	1648	WerFault.exe	spoolsv.exe
3172	4136	WerFault.exe	spoolsv.exe
1076	4044	WerFault.exe	spoolsv.exe
2124	2092	WerFault.exe	spoolsv.exe
2728	1164	WerFault.exe	spoolsv.exe
2024	4292	WerFault.exe	spoolsv.exe
3528	448	WerFault.exe	spoolsv.exe
1376	4808	WerFault.exe	spoolsv.exe
808	400	WerFault.exe	spoolsv.exe
3244	992	WerFault.exe	spoolsv.exe
4168	1884	WerFault.exe	spoolsv.exe
964	1252	WerFault.exe	spoolsv.exe
5016	4632	WerFault.exe	spoolsv.exe
1116	216	WerFault.exe	spoolsv.exe
1176	884	WerFault.exe	spoolsv.exe
4436	396	WerFault.exe	spoolsv.exe
4060	3804	WerFault.exe	spoolsv.exe
4080	4740	WerFault.exe	spoolsv.exe
4640	3720	WerFault.exe	spoolsv.exe
3432	4136	WerFault.exe	spoolsv.exe
2708	4044	WerFault.exe	spoolsv.exe
2092	2136	WerFault.exe	spoolsv.exe
2388	4544	WerFault.exe	spoolsv.exe
3516	684	WerFault.exe	spoolsv.exe
3488	4292	WerFault.exe	spoolsv.exe
448	4628	WerFault.exe	spoolsv.exe
3212	4360	WerFault.exe	spoolsv.exe
3180	3800	WerFault.exe	spoolsv.exe
2088	1696	WerFault.exe	spoolsv.exe
1420	4156	WerFault.exe	spoolsv.exe
1244	1544	WerFault.exe	spoolsv.exe
4612	5116	WerFault.exe	spoolsv.exe
348	5016	WerFault.exe	spoolsv.exe
4412	4356	WerFault.exe	spoolsv.exe
4512	2412	WerFault.exe	spoolsv.exe
4960	2616	WerFault.exe	spoolsv.exe
3140	3840	WerFault.exe	spoolsv.exe
4132	4604	WerFault.exe	spoolsv.exe
2588	3492	WerFault.exe	spoolsv.exe
2620	1076	WerFault.exe	spoolsv.exe
2940	1944	WerFault.exe	spoolsv.exe
1524	1172	WerFault.exe	spoolsv.exe
2636	1164	WerFault.exe	spoolsv.exe
1096	2024	WerFault.exe	spoolsv.exe
3528	2336	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exe

pid	process
4372	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
4372	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

632 explorer.exe

pid	process
632	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exespoolsv.exe

pid	process
4372	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
4372	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
2304	spoolsv.exe
2304	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exea339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1596 wrote to memory of 4372	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 1596 wrote to memory of 4372	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 1596 wrote to memory of 4372	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 1596 wrote to memory of 4372	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 1596 wrote to memory of 4372	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 1596 wrote to memory of 4372	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 1596 wrote to memory of 4372	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 1596 wrote to memory of 4372	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 1596 wrote to memory of 904	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 1596 wrote to memory of 904	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 1596 wrote to memory of 904	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 1596 wrote to memory of 904	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 1596 wrote to memory of 904	1596	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 4372 wrote to memory of 2092	4372	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	explorer.exe
PID 4372 wrote to memory of 2092	4372	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	explorer.exe
PID 4372 wrote to memory of 2092	4372	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	explorer.exe
PID 2092 wrote to memory of 632	2092	explorer.exe	explorer.exe
PID 2092 wrote to memory of 632	2092	explorer.exe	explorer.exe
PID 2092 wrote to memory of 632	2092	explorer.exe	explorer.exe
PID 2092 wrote to memory of 632	2092	explorer.exe	explorer.exe
PID 2092 wrote to memory of 632	2092	explorer.exe	explorer.exe
PID 2092 wrote to memory of 632	2092	explorer.exe	explorer.exe
PID 2092 wrote to memory of 632	2092	explorer.exe	explorer.exe
PID 2092 wrote to memory of 632	2092	explorer.exe	explorer.exe
PID 2092 wrote to memory of 5024	2092	explorer.exe	diskperf.exe
PID 2092 wrote to memory of 5024	2092	explorer.exe	diskperf.exe
PID 2092 wrote to memory of 5024	2092	explorer.exe	diskperf.exe
PID 2092 wrote to memory of 5024	2092	explorer.exe	diskperf.exe
PID 2092 wrote to memory of 5024	2092	explorer.exe	diskperf.exe
PID 632 wrote to memory of 4164	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4164	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4164	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 3196	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 3196	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 3196	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 1888	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 1888	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 1888	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4808	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4808	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4808	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4428	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4428	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4428	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4208	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4208	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4208	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 2088	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 2088	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 2088	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4876	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4876	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4876	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 3768	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 3768	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 3768	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4516	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4516	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 4516	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 884	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 884	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 884	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 2424	632	explorer.exe	spoolsv.exe
PID 632 wrote to memory of 2424	632	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
"C:\Users\Admin\AppData\Local\Temp\a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
"C:\Users\Admin\AppData\Local\Temp\a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2304

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 192
6⤵
- Program crash
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 192
6⤵
- Program crash
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 192
6⤵
- Program crash
PID:4360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 192
6⤵
- Program crash
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 192
6⤵
- Program crash
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 192
6⤵
- Program crash
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 192
6⤵
- Program crash
PID:4168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 192
6⤵
- Program crash
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 192
6⤵
- Program crash
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 192
6⤵
- Program crash
PID:4800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 192
6⤵
- Program crash
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 192
6⤵
- Program crash
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 192
6⤵
- Program crash
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 192
6⤵
- Program crash
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 192
6⤵
- Program crash
PID:1076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 192
6⤵
- Program crash
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 192
6⤵
- Program crash
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 192
6⤵
- Program crash
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 192
6⤵
- Program crash
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 192
6⤵
- Program crash
PID:1376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 192
6⤵
- Program crash
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 192
6⤵
- Program crash
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 192
6⤵
- Program crash
PID:4168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 192
6⤵
- Program crash
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 192
6⤵
- Program crash
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 192
6⤵
- Program crash
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 192
6⤵
- Program crash
PID:1176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 192
6⤵
- Program crash
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 192
6⤵
- Program crash
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 192
6⤵
- Program crash
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 192
6⤵
- Program crash
PID:4640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 192
6⤵
- Program crash
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 192
6⤵
- Program crash
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 192
6⤵
- Program crash
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 192
6⤵
- Program crash
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 192
6⤵
- Program crash
PID:3516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 192
6⤵
- Program crash
PID:3488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 200
6⤵
- Program crash
PID:448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 192
6⤵
- Program crash
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 192
6⤵
- Program crash
PID:3180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 192
6⤵
- Program crash
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 192
6⤵
- Program crash
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 192
6⤵
- Program crash
PID:1244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 192
6⤵
- Program crash
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 192
6⤵
- Program crash
PID:348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 192
6⤵
- Program crash
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 192
6⤵
- Program crash
PID:4512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 192
6⤵
- Program crash
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 192
6⤵
- Program crash
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 192
6⤵
- Program crash
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 192
6⤵
- Program crash
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 192
6⤵
- Program crash
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 192
6⤵
- Program crash
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 192
6⤵
- Program crash
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 192
6⤵
- Program crash
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 192
6⤵
- Program crash
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 192
6⤵
- Program crash
PID:3528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:5024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3196 -ip 3196
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1888 -ip 1888
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4808 -ip 4808
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4428 -ip 4428
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4208 -ip 4208
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2088 -ip 2088
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4876 -ip 4876
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3768 -ip 3768
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4516 -ip 4516
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 884 -ip 884
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2424 -ip 2424
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3840 -ip 3840
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1648 -ip 1648
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4136 -ip 4136
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4044 -ip 4044
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2092 -ip 2092
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1164 -ip 1164
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4292 -ip 4292
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 448 -ip 448
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4808 -ip 4808
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 400 -ip 400
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 992 -ip 992
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1884 -ip 1884
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1252 -ip 1252
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4632 -ip 4632
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 216 -ip 216
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 884 -ip 884
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 396 -ip 396
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3804 -ip 3804
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4740 -ip 4740
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3720 -ip 3720
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4136 -ip 4136
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4044 -ip 4044
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2136 -ip 2136
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4544 -ip 4544
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 684 -ip 684
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4292 -ip 4292
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4628 -ip 4628
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4360 -ip 4360
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3800 -ip 3800
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1696 -ip 1696
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4156 -ip 4156
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1544 -ip 1544
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5116 -ip 5116
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5016 -ip 5016
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4356 -ip 4356
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2412 -ip 2412
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2616 -ip 2616
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3840 -ip 3840
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4604 -ip 4604
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3492 -ip 3492
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1076 -ip 1076
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1944 -ip 1944
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1172 -ip 1172
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1164 -ip 1164
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2024 -ip 2024
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2336 -ip 2336
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
1.2MB

MD5
75b35c4297d42c36dd13420ea527fc97

SHA1
f25cf1973dd627c9f8692bde299b21db9946a078

SHA256
a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40

SHA512
14269aba39d8fd5785cfcfc55b4266c31e98e62ebb409106d18dba7bc2914c53962fd3c313e8b38384726bc35c1ea03ee7323c5b2bfdf6979baeb5a8e962e780

Download Submit
C:\Windows\System\explorer.exe

Filesize
1.2MB

MD5
e8c53e001a61f861a0317363a9022ded

SHA1
65fb03f3aad0bd2558b9f7fcda0dbb656a261879

SHA256
9f3710349add94176635cc1078d6b9615b1db79309c4039af146b2b033cef7ac

SHA512
f9a5a1f58c0f54085cb29b50085242e9afbb4993ba4fa306e92116866b3bb27e5e32200363773d12ed27bfafa4a6940eee66728c937252b62328f91bfb32d88f

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.2MB

MD5
18aaf8ce6cef681069b2752094d5de0b

SHA1
3414ca69130d2849e6c5b789792890be7ee93115

SHA256
e0dc449ab2232aac999d6edee6c3a59c4edb5936e43997f8044825775b8fdd28

SHA512
988bdab4d3b0bfe674e68f95047d13bcaa2227f627c7ecbb323512cd22dcc18291dc37d2968fddc88cc39276f2ac71e8e538c1a3c7caeb149136bec11e8c107e

Download Submit
memory/448-96-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/632-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/632-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/632-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/904-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/992-101-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1596-19-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1596-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1596-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1596-6-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1596-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1596-3-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1888-73-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2092-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2092-35-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2092-55-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2092-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2092-28-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2092-29-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2304-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2424-86-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3196-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3196-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4164-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4164-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4164-63-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4164-82-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4164-151-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4372-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-32-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4632-106-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4808-156-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4808-155-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4808-161-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5024-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download