warzonerat | 3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
Size

8.2MB
MD5

bf0df2193b73a2fe2f71d103822cc550
SHA1

40fa08e2c45fa03547d305ef7a59462aa141c5e1
SHA256

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5
SHA512

47a0b95f1dd1931a9eaf98c9c503247fcda2871892d2aa8f88d00ac4255e3a778660e0926aa94f5b76e350145080b1fa471db31796869543539646b237a8f283
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNec2:V8e8e8f8e8e83

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242

Executes dropped EXE 56 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1012	explorer.exe
3356	explorer.exe
4336	spoolsv.exe
4836	spoolsv.exe
4900	spoolsv.exe
228	spoolsv.exe
2116	spoolsv.exe
3436	spoolsv.exe
3920	spoolsv.exe
2852	spoolsv.exe
3280	spoolsv.exe
4676	spoolsv.exe
2228	spoolsv.exe
4508	spoolsv.exe
2912	spoolsv.exe
2940	spoolsv.exe
2644	spoolsv.exe
3484	spoolsv.exe
1124	spoolsv.exe
708	spoolsv.exe
1900	spoolsv.exe
3616	spoolsv.exe
4616	spoolsv.exe
2272	spoolsv.exe
3676	spoolsv.exe
5032	spoolsv.exe
2424	spoolsv.exe
4460	spoolsv.exe
4904	spoolsv.exe
3156	spoolsv.exe
2040	spoolsv.exe
4900	spoolsv.exe
5112	spoolsv.exe
4660	spoolsv.exe
2892	spoolsv.exe
3692	spoolsv.exe
1688	spoolsv.exe
4572	spoolsv.exe
2944	spoolsv.exe
2248	spoolsv.exe
1704	spoolsv.exe
2360	spoolsv.exe
3516	spoolsv.exe
1964	spoolsv.exe
1156	spoolsv.exe
1752	spoolsv.exe
5052	spoolsv.exe
860	spoolsv.exe
3568	spoolsv.exe
3456	spoolsv.exe
1052	spoolsv.exe
864	spoolsv.exe
984	spoolsv.exe
2424	spoolsv.exe
624	spoolsv.exe
4636	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exe

description	pid	process	target process
PID 3312 set thread context of 3348	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 3312 set thread context of 2124	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 1012 set thread context of 3356	1012	explorer.exe	explorer.exe
PID 1012 set thread context of 2572	1012	explorer.exe	diskperf.exe

Drops file in Windows directory 3 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 53 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4304	4836	WerFault.exe	spoolsv.exe
4192	4900	WerFault.exe	spoolsv.exe
632	228	WerFault.exe	spoolsv.exe
64	2116	WerFault.exe	spoolsv.exe
1536	3436	WerFault.exe	spoolsv.exe
3948	3920	WerFault.exe	spoolsv.exe
4424	2852	WerFault.exe	spoolsv.exe
4628	3280	WerFault.exe	spoolsv.exe
3492	4676	WerFault.exe	spoolsv.exe
1184	2228	WerFault.exe	spoolsv.exe
3264	4508	WerFault.exe	spoolsv.exe
4444	2912	WerFault.exe	spoolsv.exe
3220	2940	WerFault.exe	spoolsv.exe
1636	2644	WerFault.exe	spoolsv.exe
1772	3484	WerFault.exe	spoolsv.exe
1344	1124	WerFault.exe	spoolsv.exe
4804	708	WerFault.exe	spoolsv.exe
860	1900	WerFault.exe	spoolsv.exe
3244	3616	WerFault.exe	spoolsv.exe
4156	4616	WerFault.exe	spoolsv.exe
1052	2272	WerFault.exe	spoolsv.exe
4892	3676	WerFault.exe	spoolsv.exe
4284	5032	WerFault.exe	spoolsv.exe
2356	2424	WerFault.exe	spoolsv.exe
1592	4460	WerFault.exe	spoolsv.exe
2500	4904	WerFault.exe	spoolsv.exe
212	3156	WerFault.exe	spoolsv.exe
2556	2040	WerFault.exe	spoolsv.exe
2016	4900	WerFault.exe	spoolsv.exe
3596	5112	WerFault.exe	spoolsv.exe
3252	4660	WerFault.exe	spoolsv.exe
1096	2892	WerFault.exe	spoolsv.exe
2440	3692	WerFault.exe	spoolsv.exe
1468	1688	WerFault.exe	spoolsv.exe
2792	4572	WerFault.exe	spoolsv.exe
644	2944	WerFault.exe	spoolsv.exe
3940	2248	WerFault.exe	spoolsv.exe
668	1704	WerFault.exe	spoolsv.exe
532	2360	WerFault.exe	spoolsv.exe
1804	3516	WerFault.exe	spoolsv.exe
1332	1964	WerFault.exe	spoolsv.exe
4728	1156	WerFault.exe	spoolsv.exe
696	1752	WerFault.exe	spoolsv.exe
708	5052	WerFault.exe	spoolsv.exe
4988	860	WerFault.exe	spoolsv.exe
1776	3568	WerFault.exe	spoolsv.exe
4580	3456	WerFault.exe	spoolsv.exe
4740	1052	WerFault.exe	spoolsv.exe
628	864	WerFault.exe	spoolsv.exe
2068	984	WerFault.exe	spoolsv.exe
4840	2424	WerFault.exe	spoolsv.exe
2224	624	WerFault.exe	spoolsv.exe
4104	4636	WerFault.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exeexplorer.exespoolsv.exe3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exe

pid	process
3348	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
3348	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exe

pid	process
3348	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
3348	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe
3356	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3312 wrote to memory of 3348	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 3312 wrote to memory of 3348	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 3312 wrote to memory of 3348	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 3312 wrote to memory of 3348	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 3312 wrote to memory of 3348	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 3312 wrote to memory of 3348	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 3312 wrote to memory of 3348	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 3312 wrote to memory of 3348	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
PID 3312 wrote to memory of 2124	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 3312 wrote to memory of 2124	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 3312 wrote to memory of 2124	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 3312 wrote to memory of 2124	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 3312 wrote to memory of 2124	3312	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	diskperf.exe
PID 3348 wrote to memory of 1012	3348	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	explorer.exe
PID 3348 wrote to memory of 1012	3348	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	explorer.exe
PID 3348 wrote to memory of 1012	3348	3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe	explorer.exe
PID 1012 wrote to memory of 3356	1012	explorer.exe	explorer.exe
PID 1012 wrote to memory of 3356	1012	explorer.exe	explorer.exe
PID 1012 wrote to memory of 3356	1012	explorer.exe	explorer.exe
PID 1012 wrote to memory of 3356	1012	explorer.exe	explorer.exe
PID 1012 wrote to memory of 3356	1012	explorer.exe	explorer.exe
PID 1012 wrote to memory of 3356	1012	explorer.exe	explorer.exe
PID 1012 wrote to memory of 3356	1012	explorer.exe	explorer.exe
PID 1012 wrote to memory of 3356	1012	explorer.exe	explorer.exe
PID 1012 wrote to memory of 2572	1012	explorer.exe	diskperf.exe
PID 1012 wrote to memory of 2572	1012	explorer.exe	diskperf.exe
PID 1012 wrote to memory of 2572	1012	explorer.exe	diskperf.exe
PID 1012 wrote to memory of 2572	1012	explorer.exe	diskperf.exe
PID 1012 wrote to memory of 2572	1012	explorer.exe	diskperf.exe
PID 3356 wrote to memory of 4336	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4336	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4336	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4836	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4836	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4836	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4900	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4900	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4900	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 228	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 228	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 228	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 2116	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 2116	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 2116	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 3436	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 3436	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 3436	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 3920	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 3920	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 3920	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 2852	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 2852	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 2852	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 3280	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 3280	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 3280	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4676	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4676	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4676	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 2228	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 2228	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 2228	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4508	3356	explorer.exe	spoolsv.exe
PID 3356 wrote to memory of 4508	3356	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
"C:\Users\Admin\AppData\Local\Temp\3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Local\Temp\3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe
  "C:\Users\Admin\AppData\Local\Temp\3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3348
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4836
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 192
        6⤵
        Program crash
        
        PID:4304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 192
        6⤵
        Program crash
        
        PID:4192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 192
        6⤵
        Program crash
        
        PID:632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 192
        6⤵
        Program crash
        
        PID:64
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 192
        6⤵
        Program crash
        
        PID:1536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 192
        6⤵
        Program crash
        
        PID:3948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 192
        6⤵
        Program crash
        
        PID:4424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 192
        6⤵
        Program crash
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 192
        6⤵
        Program crash
        
        PID:3492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 192
        6⤵
        Program crash
        
        PID:1184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 192
        6⤵
        Program crash
        
        PID:3264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 192
        6⤵
        Program crash
        
        PID:4444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 192
        6⤵
        Program crash
        
        PID:3220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 192
        6⤵
        Program crash
        
        PID:1636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 192
        6⤵
        Program crash
        
        PID:1772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 192
        6⤵
        Program crash
        
        PID:1344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 192
        6⤵
        Program crash
        
        PID:4804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 192
        6⤵
        Program crash
        
        PID:860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 192
        6⤵
        Program crash
        
        PID:3244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 192
        6⤵
        Program crash
        
        PID:4156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 192
        6⤵
        Program crash
        
        PID:1052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 192
        6⤵
        Program crash
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 192
        6⤵
        Program crash
        
        PID:4284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 192
        6⤵
        Program crash
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 192
        6⤵
        Program crash
        
        PID:1592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 192
        6⤵
        Program crash
        
        PID:2500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 192
        6⤵
        Program crash
        
        PID:212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 192
        6⤵
        Program crash
        
        PID:2556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 192
        6⤵
        Program crash
        
        PID:2016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 192
        6⤵
        Program crash
        
        PID:3596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4660
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 192
        6⤵
        Program crash
        
        PID:3252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 192
        6⤵
        Program crash
        
        PID:1096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 192
        6⤵
        Program crash
        
        PID:2440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 192
        6⤵
        Program crash
        
        PID:1468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 192
        6⤵
        Program crash
        
        PID:2792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 192
        6⤵
        Program crash
        
        PID:644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 192
        6⤵
        Program crash
        
        PID:3940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 192
        6⤵
        Program crash
        
        PID:668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2360
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 192
        6⤵
        Program crash
        
        PID:532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 192
        6⤵
        Program crash
        
        PID:1804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 192
        6⤵
        Program crash
        
        PID:1332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 192
        6⤵
        Program crash
        
        PID:4728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 192
        6⤵
        Program crash
        
        PID:696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 192
        6⤵
        Program crash
        
        PID:708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 192
        6⤵
        Program crash
        
        PID:4988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 192
        6⤵
        Program crash
        
        PID:1776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 192
        6⤵
        Program crash
        
        PID:4580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 192
        6⤵
        Program crash
        
        PID:4740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 192
        6⤵
        Program crash
        
        PID:628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 192
        6⤵
        Program crash
        
        PID:2068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 192
        6⤵
        Program crash
        
        PID:4840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 192
        6⤵
        Program crash
        
        PID:2224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 192
        6⤵
        Program crash
        
        PID:4104
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:2572
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4836 -ip 4836
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4900 -ip 4900
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 228 -ip 228
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2116 -ip 2116
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3436 -ip 3436
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3920 -ip 3920
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2852 -ip 2852
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3280 -ip 3280
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4676 -ip 4676
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2228 -ip 2228
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4508 -ip 4508
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2912 -ip 2912
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2940 -ip 2940
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2644 -ip 2644
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3484 -ip 3484
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1124 -ip 1124
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 708 -ip 708
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1900 -ip 1900
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3616 -ip 3616
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4616 -ip 4616
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2272 -ip 2272
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3676 -ip 3676
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5032 -ip 5032
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2424 -ip 2424
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4460 -ip 4460
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4904 -ip 4904
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3156 -ip 3156
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2040 -ip 2040
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4900 -ip 4900
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5112 -ip 5112
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4660 -ip 4660
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2892 -ip 2892
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3692 -ip 3692
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1688 -ip 1688
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4572 -ip 4572
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2944 -ip 2944
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2248 -ip 2248
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1704 -ip 1704
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2360 -ip 2360
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3516 -ip 3516
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1964 -ip 1964
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1156 -ip 1156
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1752 -ip 1752
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5052 -ip 5052
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 860 -ip 860
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3568 -ip 3568
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3456 -ip 3456
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1052 -ip 1052
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 864 -ip 864
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 984 -ip 984
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2424 -ip 2424
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 624 -ip 624
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4636 -ip 4636
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
bf0df2193b73a2fe2f71d103822cc550

SHA1
40fa08e2c45fa03547d305ef7a59462aa141c5e1

SHA256
3f8a2f599a854d6327c9f816a7272685bfc5813a6e2ed9a83e5ed227eb148bb5

SHA512
47a0b95f1dd1931a9eaf98c9c503247fcda2871892d2aa8f88d00ac4255e3a778660e0926aa94f5b76e350145080b1fa471db31796869543539646b237a8f283

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
4433c8390a22d6c4fe0abdc7711f875d

SHA1
9e0874b5b346b265cb2dd6a7c7fa8189bf133e76

SHA256
d63906946c93aa698303e494141d564665971c0995d76e79bc75aa998ff96171

SHA512
0d7e06a96265a2ddb8326dacfef4e996d0ce36ae9e5982138dadb10f85292a80eb9207934e07917653e7f54dcd2fbe68b660cdfa5d68edad4033b6a08300209d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
7.5MB

MD5
c0f113e37a9d23aa270a3ce26cf36914

SHA1
eabe067521d0984cc90f244db9a5e07867154e6f

SHA256
f350b562f525a1baf38cb27cd6eebf9eb68217552dc45c8cbb74a2f80319bdc5

SHA512
4934bb5c0da40357a92e15283b2146a187e2ccb02ade327917e1eefe5324cc898fb0926aa20332b982048269b8bfb0440c291a844f548728eca10417342ccc13

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
88ddc86fae00f5c4396685d332cc91b9

SHA1
eff7a84175d8f34a6894b34002f7dc1f59c26f1d

SHA256
66e132380c762418563f4dacd14e99ebf9b04c097494665580f4bbe00ef1e4df

SHA512
ed4198b361feba87f27a347cb4bdf951d65c1449980d047a8b1d993b757d8546f663b8bf3365c679ecaa96e462b27fb504bec6d5179b7e67272e5d46aef51792

Download Submit
memory/624-136-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/708-95-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1012-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1012-60-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1012-37-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1012-33-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1012-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1012-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1052-129-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2116-77-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2124-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2424-134-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2572-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3312-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3312-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3312-3-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3312-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3312-6-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3312-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3312-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3348-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3348-34-0x00000000004A0000-0x0000000000569000-memory.dmp

Filesize
804KB

Download
memory/3348-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3348-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3356-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3356-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4336-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4336-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4336-67-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4836-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4836-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4900-74-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download