warzonerat | 1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
Size

8.9MB
MD5

4b97fdc0035fab22e6bd2ebc1ba74500
SHA1

6c6724787d4672b63aca377742aee107f2bcc802
SHA256

1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4
SHA512

fc80c6805aa5c0b1ba69789a5f3d57414c53e44c33d31fc9f862c20d015396a7a6d1420fbfb95fc38078f50e12e1ad2755124d7dab9f40a283ed6b36ad8e5054
SSDEEP

49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNec8MMMMMMMMMMMMMMMM6:K1+8e8e8f8e8e8E

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
behavioral1/memory/2716-38-0x0000000002E00000-0x0000000002F15000-memory.dmp	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 54 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exesvchost.exespoolsv.exesvchost.exespoolsv.exesvchost.exespoolsv.exesvchost.exespoolsv.exesvchost.exespoolsv.exesvchost.exe

pid	process
2976	explorer.exe
2132	explorer.exe
2368	spoolsv.exe
2360	spoolsv.exe
2532	spoolsv.exe
520	spoolsv.exe
732	spoolsv.exe
1884	spoolsv.exe
364	spoolsv.exe
1548	spoolsv.exe
1956	spoolsv.exe
1984	spoolsv.exe
664	spoolsv.exe
1068	spoolsv.exe
1536	spoolsv.exe
980	spoolsv.exe
2948	spoolsv.exe
2832	spoolsv.exe
2724	spoolsv.exe
2172	spoolsv.exe
1996	spoolsv.exe
1276	spoolsv.exe
2188	spoolsv.exe
2904	spoolsv.exe
2256	spoolsv.exe
2996	spoolsv.exe
3020	spoolsv.exe
1948	spoolsv.exe
2084	spoolsv.exe
2160	spoolsv.exe
2164	spoolsv.exe
2396	spoolsv.exe
2224	spoolsv.exe
1124	spoolsv.exe
3056	spoolsv.exe
2356	spoolsv.exe
936	spoolsv.exe
1320	spoolsv.exe
2320	spoolsv.exe
2044	spoolsv.exe
2636	spoolsv.exe
548	svchost.exe
1004	spoolsv.exe
2872	svchost.exe
2328	spoolsv.exe
2916	svchost.exe
2900	spoolsv.exe
2840	svchost.exe
2712	spoolsv.exe
2072	svchost.exe
1584	spoolsv.exe
2152	svchost.exe
1992	spoolsv.exe
676	svchost.exe

Loads dropped DLL 64 IoCs

Processes:

1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exeexplorer.exe

pid	process
2716	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
2716	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exe1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 22 IoCs

Processes:

1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2776 set thread context of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 set thread context of 2112	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	diskperf.exe
PID 2976 set thread context of 2132	2976	explorer.exe	explorer.exe
PID 2976 set thread context of 2020	2976	explorer.exe	diskperf.exe
PID 2360 set thread context of 3056	2360	spoolsv.exe	spoolsv.exe
PID 2360 set thread context of 1060	2360	spoolsv.exe	diskperf.exe
PID 2532 set thread context of 936	2532	spoolsv.exe	spoolsv.exe
PID 2532 set thread context of 1472	2532	spoolsv.exe	diskperf.exe
PID 2368 set thread context of 2320	2368	spoolsv.exe	spoolsv.exe
PID 2368 set thread context of 2940	2368	spoolsv.exe	diskperf.exe
PID 520 set thread context of 1004	520	spoolsv.exe	spoolsv.exe
PID 520 set thread context of 1048	520	spoolsv.exe	diskperf.exe
PID 732 set thread context of 2328	732	spoolsv.exe	spoolsv.exe
PID 732 set thread context of 2792	732	spoolsv.exe	diskperf.exe
PID 1884 set thread context of 2900	1884	spoolsv.exe	spoolsv.exe
PID 1884 set thread context of 3028	1884	spoolsv.exe	diskperf.exe
PID 364 set thread context of 2712	364	spoolsv.exe	spoolsv.exe
PID 364 set thread context of 2288	364	spoolsv.exe	diskperf.exe
PID 1548 set thread context of 1584	1548	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 1936	1548	spoolsv.exe	diskperf.exe
PID 1956 set thread context of 1992	1956	spoolsv.exe	spoolsv.exe
PID 1956 set thread context of 2968	1956	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exe1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exesvchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exeexplorer.exe

pid	process
2716	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2132 explorer.exe

pid	process
2132	explorer.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2716	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
2716	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
2132	explorer.exe
3056	spoolsv.exe
3056	spoolsv.exe
936	spoolsv.exe
936	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
1004	spoolsv.exe
1004	spoolsv.exe
2328	spoolsv.exe
2328	spoolsv.exe
2900	spoolsv.exe
2900	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
1584	spoolsv.exe
1584	spoolsv.exe
1992	spoolsv.exe
1992	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2776 wrote to memory of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 wrote to memory of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 wrote to memory of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 wrote to memory of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 wrote to memory of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 wrote to memory of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 wrote to memory of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 wrote to memory of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 wrote to memory of 2716	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
PID 2776 wrote to memory of 2112	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	diskperf.exe
PID 2776 wrote to memory of 2112	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	diskperf.exe
PID 2776 wrote to memory of 2112	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	diskperf.exe
PID 2776 wrote to memory of 2112	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	diskperf.exe
PID 2776 wrote to memory of 2112	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	diskperf.exe
PID 2776 wrote to memory of 2112	2776	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	diskperf.exe
PID 2716 wrote to memory of 2976	2716	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	explorer.exe
PID 2716 wrote to memory of 2976	2716	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	explorer.exe
PID 2716 wrote to memory of 2976	2716	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	explorer.exe
PID 2716 wrote to memory of 2976	2716	1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe	explorer.exe
PID 2976 wrote to memory of 2132	2976	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2132	2976	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2132	2976	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2132	2976	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2132	2976	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2132	2976	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2132	2976	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2132	2976	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2132	2976	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2020	2976	explorer.exe	diskperf.exe
PID 2976 wrote to memory of 2020	2976	explorer.exe	diskperf.exe
PID 2976 wrote to memory of 2020	2976	explorer.exe	diskperf.exe
PID 2976 wrote to memory of 2020	2976	explorer.exe	diskperf.exe
PID 2976 wrote to memory of 2020	2976	explorer.exe	diskperf.exe
PID 2976 wrote to memory of 2020	2976	explorer.exe	diskperf.exe
PID 2132 wrote to memory of 2368	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2368	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2368	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2368	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2360	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2360	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2360	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2360	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2532	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2532	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2532	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 2532	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 520	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 520	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 520	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 520	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 732	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 732	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 732	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 732	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 1884	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 1884	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 1884	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 1884	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 364	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 364	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 364	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 364	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 1548	2132	explorer.exe	spoolsv.exe
PID 2132 wrote to memory of 1548	2132	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
"C:\Users\Admin\AppData\Local\Temp\1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe
  "C:\Users\Admin\AppData\Local\Temp\1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2716
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2368
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2360
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:548
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:936
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:520
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:732
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1884
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:364
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1956
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:676
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2636
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:2020
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.9MB

MD5
4b97fdc0035fab22e6bd2ebc1ba74500

SHA1
6c6724787d4672b63aca377742aee107f2bcc802

SHA256
1645874c3b53a69795012df93c88f0995979c58d2549d97f88d16b196017d9d4

SHA512
fc80c6805aa5c0b1ba69789a5f3d57414c53e44c33d31fc9f862c20d015396a7a6d1420fbfb95fc38078f50e12e1ad2755124d7dab9f40a283ed6b36ad8e5054

Download Submit
C:\Windows\system\explorer.exe

Filesize
8.9MB

MD5
4c5fd4ef2b969549051bd7ebe10bdc9c

SHA1
7fe3319da7ff0122a43d2547a681f96c59de1ca0

SHA256
f94f8d322372731236a7ca249f8706c444c4c7b3a9bd991f9843102f952822ae

SHA512
340e8ddfd3eb470df9fde5fca8a184babb8299321386edf15b72b9b94ca874ce2964d74981546a8696fd7f5d926031d56d28ce8711f620aa7fd381b814bda28c

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.9MB

MD5
4f972d27f16ff53c17b6f5beb1968eb8

SHA1
33b3536f331f4b46a4e4ef80d0940b6aa0f9ee34

SHA256
518dd9330cee7e485a135ce5c613139052f4c2618df9a0684ebc30ef821a997b

SHA512
838a91e4caf9a38367684155c3f4839dca90555fa94aaa9b83a3c7bcb1e9f8bb79217572f9fb7cf31d80da74470c6f9a8300d63de1f9fa395941744e016e5989

Download Submit
memory/364-156-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/520-147-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/664-201-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/732-136-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/732-164-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/980-233-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/980-256-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1060-385-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1068-232-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1276-325-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1276-296-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1536-236-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1548-200-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1548-168-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1884-176-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1948-447-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1956-179-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1984-221-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1996-288-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2084-448-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2084-348-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2112-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2112-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2112-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2112-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2112-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2132-278-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-309-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-109-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-111-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-99-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-253-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-121-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-124-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-122-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-274-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-287-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-134-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-275-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-146-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-86-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-295-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-310-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-167-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-165-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-323-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-177-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-324-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-190-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-189-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-188-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-332-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-336-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-209-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-219-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-220-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-341-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-349-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-255-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-230-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-234-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-361-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2132-235-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2160-355-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2164-362-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2172-302-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2188-303-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2188-340-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2256-317-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2360-126-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2360-389-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2360-101-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2368-434-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2368-113-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2368-88-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2532-137-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2532-112-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2532-413-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2716-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-38-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2716-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-43-0x0000000002E00000-0x0000000002F15000-memory.dmp

Filesize
1.1MB

Download
memory/2724-294-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2776-3-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2776-0-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2776-2-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2776-17-0x0000000002D60000-0x0000000002E75000-memory.dmp

Filesize
1.1MB

Download
memory/2776-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2776-30-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2832-277-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2904-311-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2904-347-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2948-273-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2948-245-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2976-45-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2976-77-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2976-46-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2976-49-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2996-326-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3020-333-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download