Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-10-2024 02:51
Behavioral task
behavioral1
Sample
fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe
Resource
win10v2004-20241007-en
General
-
Target
fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe
-
Size
3.9MB
-
MD5
5309c3f6de55185dedb1c353afa27c80
-
SHA1
d181c03c655ad31440248ebb398a91c35defed39
-
SHA256
fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583
-
SHA512
0c10ac905296f1a360c2d48b13669bc9dd6f3c1d4e7b8bce495e29e69c137204bcf946935336629b14a539c782320e995313bba2c59af31b350f810bcda6dca9
-
SSDEEP
24576:GIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0GoWQDW:7C0bNechC0bNechC0bNecO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0009000000016ab9-43.dat warzonerat behavioral1/files/0x0008000000016644-77.dat warzonerat behavioral1/files/0x000a000000016644-95.dat warzonerat -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
resource yara_rule behavioral1/files/0x0009000000016ab9-43.dat aspack_v212_v242 behavioral1/files/0x0008000000016644-77.dat aspack_v212_v242 behavioral1/files/0x000a000000016644-95.dat aspack_v212_v242 -
Executes dropped EXE 12 IoCs
pid Process 2728 explorer.exe 2272 explorer.exe 1880 spoolsv.exe 1620 spoolsv.exe 2524 spoolsv.exe 2516 spoolsv.exe 1320 spoolsv.exe 1536 spoolsv.exe 2624 spoolsv.exe 900 spoolsv.exe 3000 spoolsv.exe 2820 svchost.exe -
Loads dropped DLL 64 IoCs
pid Process 2748 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 2748 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2272 explorer.exe 2272 explorer.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2272 explorer.exe 2272 explorer.exe 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe 2272 explorer.exe 2272 explorer.exe 1916 WerFault.exe 1916 WerFault.exe 1916 WerFault.exe 1916 WerFault.exe 1916 WerFault.exe 1916 WerFault.exe 1916 WerFault.exe 2272 explorer.exe 2272 explorer.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 2272 explorer.exe 2272 explorer.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 2272 explorer.exe 2272 explorer.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" explorer.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2196 set thread context of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 set thread context of 2660 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 32 PID 2728 set thread context of 2272 2728 explorer.exe 34 PID 2728 set thread context of 2324 2728 explorer.exe 35 PID 1880 set thread context of 3000 1880 spoolsv.exe 51 PID 1880 set thread context of 2700 1880 spoolsv.exe 52 -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
pid pid_target Process procid_target 2596 1620 WerFault.exe 37 2640 2524 WerFault.exe 39 1592 2516 WerFault.exe 41 1916 1320 WerFault.exe 43 904 1536 WerFault.exe 45 2808 2624 WerFault.exe 47 2176 900 WerFault.exe 49 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2748 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2272 explorer.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2748 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 2748 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 3000 spoolsv.exe 3000 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 wrote to memory of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 wrote to memory of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 wrote to memory of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 wrote to memory of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 wrote to memory of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 wrote to memory of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 wrote to memory of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 wrote to memory of 2748 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 31 PID 2196 wrote to memory of 2660 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 32 PID 2196 wrote to memory of 2660 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 32 PID 2196 wrote to memory of 2660 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 32 PID 2196 wrote to memory of 2660 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 32 PID 2196 wrote to memory of 2660 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 32 PID 2196 wrote to memory of 2660 2196 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 32 PID 2748 wrote to memory of 2728 2748 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 33 PID 2748 wrote to memory of 2728 2748 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 33 PID 2748 wrote to memory of 2728 2748 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 33 PID 2748 wrote to memory of 2728 2748 fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe 33 PID 2728 wrote to memory of 2272 2728 explorer.exe 34 PID 2728 wrote to memory of 2272 2728 explorer.exe 34 PID 2728 wrote to memory of 2272 2728 explorer.exe 34 PID 2728 wrote to memory of 2272 2728 explorer.exe 34 PID 2728 wrote to memory of 2272 2728 explorer.exe 34 PID 2728 wrote to memory of 2272 2728 explorer.exe 34 PID 2728 wrote to memory of 2272 2728 explorer.exe 34 PID 2728 wrote to memory of 2272 2728 explorer.exe 34 PID 2728 wrote to memory of 2272 2728 explorer.exe 34 PID 2728 wrote to memory of 2324 2728 explorer.exe 35 PID 2728 wrote to memory of 2324 2728 explorer.exe 35 PID 2728 wrote to memory of 2324 2728 explorer.exe 35 PID 2728 wrote to memory of 2324 2728 explorer.exe 35 PID 2728 wrote to memory of 2324 2728 explorer.exe 35 PID 2728 wrote to memory of 2324 2728 explorer.exe 35 PID 2272 wrote to memory of 1880 2272 explorer.exe 36 PID 2272 wrote to memory of 1880 2272 explorer.exe 36 PID 2272 wrote to memory of 1880 2272 explorer.exe 36 PID 2272 wrote to memory of 1880 2272 explorer.exe 36 PID 2272 wrote to memory of 1620 2272 explorer.exe 37 PID 2272 wrote to memory of 1620 2272 explorer.exe 37 PID 2272 wrote to memory of 1620 2272 explorer.exe 37 PID 2272 wrote to memory of 1620 2272 explorer.exe 37 PID 1620 wrote to memory of 2596 1620 spoolsv.exe 38 PID 1620 wrote to memory of 2596 1620 spoolsv.exe 38 PID 1620 wrote to memory of 2596 1620 spoolsv.exe 38 PID 1620 wrote to memory of 2596 1620 spoolsv.exe 38 PID 2272 wrote to memory of 2524 2272 explorer.exe 39 PID 2272 wrote to memory of 2524 2272 explorer.exe 39 PID 2272 wrote to memory of 2524 2272 explorer.exe 39 PID 2272 wrote to memory of 2524 2272 explorer.exe 39 PID 2524 wrote to memory of 2640 2524 spoolsv.exe 40 PID 2524 wrote to memory of 2640 2524 spoolsv.exe 40 PID 2524 wrote to memory of 2640 2524 spoolsv.exe 40 PID 2524 wrote to memory of 2640 2524 spoolsv.exe 40 PID 2272 wrote to memory of 2516 2272 explorer.exe 41 PID 2272 wrote to memory of 2516 2272 explorer.exe 41 PID 2272 wrote to memory of 2516 2272 explorer.exe 41 PID 2272 wrote to memory of 2516 2272 explorer.exe 41 PID 2516 wrote to memory of 1592 2516 spoolsv.exe 42 PID 2516 wrote to memory of 1592 2516 spoolsv.exe 42 PID 2516 wrote to memory of 1592 2516 spoolsv.exe 42 PID 2516 wrote to memory of 1592 2516 spoolsv.exe 42 PID 2272 wrote to memory of 1320 2272 explorer.exe 43 PID 2272 wrote to memory of 1320 2272 explorer.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe"C:\Users\Admin\AppData\Local\Temp\fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe"C:\Users\Admin\AppData\Local\Temp\fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1880 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3000 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"6⤵PID:2700
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2640
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 366⤵
- Loads dropped DLL
- Program crash
PID:1592
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 366⤵
- Loads dropped DLL
- Program crash
PID:1916
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 366⤵
- Loads dropped DLL
- Program crash
PID:904
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2808
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2176
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"4⤵PID:2324
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"2⤵PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD55309c3f6de55185dedb1c353afa27c80
SHA1d181c03c655ad31440248ebb398a91c35defed39
SHA256fdbfec821ce43125f7e1108bfb22bab9a6e52af0dbc1b7abb08f15daf2fd8583
SHA5120c10ac905296f1a360c2d48b13669bc9dd6f3c1d4e7b8bce495e29e69c137204bcf946935336629b14a539c782320e995313bba2c59af31b350f810bcda6dca9
-
Filesize
3.9MB
MD5c0080be79f2368cbec76e0c52cf51783
SHA1d15e22ca9f9b00f3b99f303318fc71989b323ff9
SHA25694301ce1cf4ab7345e6f58959ec8b68cad67180524998f2e5c59565b36f5c291
SHA51213ddbd0cde5fc685f3df65de5fd5e019f777bebaef161b04a845bddf9eaf005533c5d83db1d5b90ad5321a6255231773b8d312b4c07745b05ed616195eb53f43
-
Filesize
3.9MB
MD5bde1f81c25a1793989744fc6f84cc06a
SHA100264c5dde29cc9b84b16a84bec1463a8072b29a
SHA256158be9206c4ced0752e8ad3fa1f1ff3f9cc0f089e8e1cdc681a199c0daef5497
SHA512718b4a770860c306287be5b6b58f3551b21b9d7807c09690f6b1d7f5eb06ca2b1f2d2845601e36aa4099cf6edeb6f183f845a11af3c6c917e2d2e2215edb8120