warzonerat | 3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
Size

8.2MB
MD5

bf0df2193b73a2fe2f71d103822cc550
SHA1

40fa08e2c45fa03547d305ef7a59462aa141c5e1
SHA256

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5
SHA512

47a0b95f1dd1931a9eaf98c9c503247fcda2871892d2aa8f88d00ac4255e3a778660e0926aa94f5b76e350145080b1fa471db31796869543539646b237a8f283
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNec2:V8e8e8f8e8e83

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242

Executes dropped EXE 9 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid process

2652 explorer.exe
1976 explorer.exe
1820 spoolsv.exe
3040 spoolsv.exe
448 spoolsv.exe
1580 spoolsv.exe
768 spoolsv.exe
2360 spoolsv.exe
1600 spoolsv.exe

pid	process
2652	explorer.exe
1976	explorer.exe
1820	spoolsv.exe
3040	spoolsv.exe
448	spoolsv.exe
1580	spoolsv.exe
768	spoolsv.exe
2360	spoolsv.exe
1600	spoolsv.exe

Loads dropped DLL 58 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2756	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
2756	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
1976	explorer.exe
1976	explorer.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1976	explorer.exe
1976	explorer.exe
308	WerFault.exe
308	WerFault.exe
308	WerFault.exe
308	WerFault.exe
308	WerFault.exe
308	WerFault.exe
308	WerFault.exe
1976	explorer.exe
1976	explorer.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
1976	explorer.exe
1976	explorer.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1976	explorer.exe
1976	explorer.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exe

description	pid	process	target process
PID 2400 set thread context of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 set thread context of 2336	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 2652 set thread context of 1976	2652	explorer.exe	explorer.exe
PID 2652 set thread context of 616	2652	explorer.exe	diskperf.exe

Drops file in Windows directory 3 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2136	3040	WerFault.exe	spoolsv.exe
1092	448	WerFault.exe	spoolsv.exe
308	1580	WerFault.exe	spoolsv.exe
2560	768	WerFault.exe	spoolsv.exe
1824	2360	WerFault.exe	spoolsv.exe
872	1600	WerFault.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exespoolsv.exe3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exe

pid	process
2756	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exe

pid	process
2756	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
2756	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2400 wrote to memory of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 wrote to memory of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 wrote to memory of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 wrote to memory of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 wrote to memory of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 wrote to memory of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 wrote to memory of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 wrote to memory of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 wrote to memory of 2756	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 2400 wrote to memory of 2336	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 2400 wrote to memory of 2336	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 2400 wrote to memory of 2336	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 2400 wrote to memory of 2336	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 2400 wrote to memory of 2336	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 2400 wrote to memory of 2336	2400	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 2756 wrote to memory of 2652	2756	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	explorer.exe
PID 2756 wrote to memory of 2652	2756	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	explorer.exe
PID 2756 wrote to memory of 2652	2756	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	explorer.exe
PID 2756 wrote to memory of 2652	2756	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	explorer.exe
PID 2652 wrote to memory of 1976	2652	explorer.exe	explorer.exe
PID 2652 wrote to memory of 1976	2652	explorer.exe	explorer.exe
PID 2652 wrote to memory of 1976	2652	explorer.exe	explorer.exe
PID 2652 wrote to memory of 1976	2652	explorer.exe	explorer.exe
PID 2652 wrote to memory of 1976	2652	explorer.exe	explorer.exe
PID 2652 wrote to memory of 1976	2652	explorer.exe	explorer.exe
PID 2652 wrote to memory of 1976	2652	explorer.exe	explorer.exe
PID 2652 wrote to memory of 1976	2652	explorer.exe	explorer.exe
PID 2652 wrote to memory of 1976	2652	explorer.exe	explorer.exe
PID 2652 wrote to memory of 616	2652	explorer.exe	diskperf.exe
PID 2652 wrote to memory of 616	2652	explorer.exe	diskperf.exe
PID 2652 wrote to memory of 616	2652	explorer.exe	diskperf.exe
PID 2652 wrote to memory of 616	2652	explorer.exe	diskperf.exe
PID 2652 wrote to memory of 616	2652	explorer.exe	diskperf.exe
PID 2652 wrote to memory of 616	2652	explorer.exe	diskperf.exe
PID 1976 wrote to memory of 1820	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 1820	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 1820	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 1820	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 3040	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 3040	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 3040	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 3040	1976	explorer.exe	spoolsv.exe
PID 3040 wrote to memory of 2136	3040	spoolsv.exe	WerFault.exe
PID 3040 wrote to memory of 2136	3040	spoolsv.exe	WerFault.exe
PID 3040 wrote to memory of 2136	3040	spoolsv.exe	WerFault.exe
PID 3040 wrote to memory of 2136	3040	spoolsv.exe	WerFault.exe
PID 1976 wrote to memory of 448	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 448	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 448	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 448	1976	explorer.exe	spoolsv.exe
PID 448 wrote to memory of 1092	448	spoolsv.exe	WerFault.exe
PID 448 wrote to memory of 1092	448	spoolsv.exe	WerFault.exe
PID 448 wrote to memory of 1092	448	spoolsv.exe	WerFault.exe
PID 448 wrote to memory of 1092	448	spoolsv.exe	WerFault.exe
PID 1976 wrote to memory of 1580	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 1580	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 1580	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 1580	1976	explorer.exe	spoolsv.exe
PID 1580 wrote to memory of 308	1580	spoolsv.exe	WerFault.exe
PID 1580 wrote to memory of 308	1580	spoolsv.exe	WerFault.exe
PID 1580 wrote to memory of 308	1580	spoolsv.exe	WerFault.exe
PID 1580 wrote to memory of 308	1580	spoolsv.exe	WerFault.exe
PID 1976 wrote to memory of 768	1976	explorer.exe	spoolsv.exe
PID 1976 wrote to memory of 768	1976	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
"C:\Users\Admin\AppData\Local\Temp\3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
  "C:\Users\Admin\AppData\Local\Temp\3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2756
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:872
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:616
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
bf0df2193b73a2fe2f71d103822cc550

SHA1
40fa08e2c45fa03547d305ef7a59462aa141c5e1

SHA256
3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5

SHA512
47a0b95f1dd1931a9eaf98c9c503247fcda2871892d2aa8f88d00ac4255e3a778660e0926aa94f5b76e350145080b1fa471db31796869543539646b237a8f283

Download Submit
C:\Windows\system\explorer.exe

Filesize
8.2MB

MD5
bcd3ff3ddc6dbe8a900c7f76790cfd84

SHA1
ff8b95402ab26faadd7f35efb6a501d62c374752

SHA256
359d83d5e346efb0bd91b6397d44ea8d1a860bfbadcef9e609688602c77d9cea

SHA512
cf9fd546e6595b5264c8156a36264b778ef53e689749c344e02b99bbc44f4fc599913ccd1e76e2af0ca45858d904c01307c7be002cb7aaae636936fd1e144fe7

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.2MB

MD5
33529a3b4970ee27be5152407cd26295

SHA1
fe1c92838bc1316adb0bd934eb21fd00b8e4b885

SHA256
1e6b16585eacc4ef157be4cf8bb402036fd9efd59f9a0820b160373eae9874c5

SHA512
b3ebda01714c37d3a5503cdf3f8d93fbb71fcc80b73a9a2297cb2121b23247c6ea8b4aec98e05436e051eb0d358f8d1f1132922d2f8f1db185c022f1ae4fe50f

Download Submit
memory/768-172-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1580-156-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1820-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1820-135-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1820-105-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1820-103-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1976-133-0x00000000031E0000-0x00000000032F4000-memory.dmp

Filesize
1.1MB

Download
memory/1976-134-0x00000000031E0000-0x00000000032F4000-memory.dmp

Filesize
1.1MB

Download
memory/1976-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-111-0x00000000031E0000-0x00000000032F4000-memory.dmp

Filesize
1.1MB

Download
memory/1976-144-0x00000000031E0000-0x00000000032F4000-memory.dmp

Filesize
1.1MB

Download
memory/1976-97-0x00000000031E0000-0x00000000032F4000-memory.dmp

Filesize
1.1MB

Download
memory/1976-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-150-0x00000000031E0000-0x00000000032F4000-memory.dmp

Filesize
1.1MB

Download
memory/2336-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2336-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2336-42-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2336-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2336-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2400-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-6-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2400-40-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2400-22-0x0000000003180000-0x0000000003294000-memory.dmp

Filesize
1.1MB

Download
memory/2652-52-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2652-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2652-56-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2652-55-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2652-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2756-54-0x0000000003170000-0x0000000003284000-memory.dmp

Filesize
1.1MB

Download
memory/2756-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-53-0x0000000003170000-0x0000000003284000-memory.dmp

Filesize
1.1MB

Download
memory/2756-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-117-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download