warzonerat | 29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
Size

3.9MB
MD5

ab666776df79673960bb46d5e707271d
SHA1

1ea9473835bdc9870cfbf6f10c6a73dc4bfa2586
SHA256

29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca
SHA512

978ccbf92c4eed0161b4285062eb79e1fdf77464a398cc1ee4c57d6aab83df37b15195c3dc15b86d90fd3fe1ebd4c39ff1e348258ef9ebc3e29ee992bbbdfa0b
SSDEEP

24576:GIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0GoWQD6:7C0bNechC0bNechC0bNecS

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000015d48-42.dat	warzonerat
behavioral1/files/0x0008000000015d19-80.dat	warzonerat
behavioral1/files/0x0008000000015d70-96.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000015d48-42.dat	aspack_v212_v242
behavioral1/files/0x0008000000015d19-80.dat	aspack_v212_v242
behavioral1/files/0x0008000000015d70-96.dat	aspack_v212_v242

Executes dropped EXE 13 IoCs

pid	Process
2912	explorer.exe
2044	explorer.exe
1976	spoolsv.exe
2272	spoolsv.exe
952	spoolsv.exe
832	spoolsv.exe
896	spoolsv.exe
2328	spoolsv.exe
1520	spoolsv.exe
2056	spoolsv.exe
1004	spoolsv.exe
2824	spoolsv.exe
2548	svchost.exe

Loads dropped DLL 64 IoCs

pid	Process
2152	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
2152	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2044	explorer.exe
2044	explorer.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
2044	explorer.exe
2044	explorer.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
2044	explorer.exe
2044	explorer.exe
2452	WerFault.exe
2452	WerFault.exe
2452	WerFault.exe
2452	WerFault.exe
2452	WerFault.exe
2452	WerFault.exe
2452	WerFault.exe
2044	explorer.exe
2044	explorer.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
2044	explorer.exe
2044	explorer.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2044	explorer.exe
2044	explorer.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 set thread context of 2712	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	32
PID 2912 set thread context of 2044	2912	explorer.exe	34
PID 2912 set thread context of 316	2912	explorer.exe	35
PID 1976 set thread context of 2824	1976	spoolsv.exe	53
PID 1976 set thread context of 2756	1976	spoolsv.exe	54

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2116	2272	WerFault.exe
1744	952	WerFault.exe	39
1632	832	WerFault.exe	41
2452	896	WerFault.exe
1992	2328	WerFault.exe	45
2580	1520	WerFault.exe	47
2400	2056	WerFault.exe	49
2168	1004	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2044	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2152	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
2152	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2824	spoolsv.exe
2824	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 wrote to memory of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 wrote to memory of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 wrote to memory of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 wrote to memory of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 wrote to memory of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 wrote to memory of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 wrote to memory of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 wrote to memory of 2152	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	31
PID 1856 wrote to memory of 2712	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	32
PID 1856 wrote to memory of 2712	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	32
PID 1856 wrote to memory of 2712	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	32
PID 1856 wrote to memory of 2712	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	32
PID 1856 wrote to memory of 2712	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	32
PID 1856 wrote to memory of 2712	1856	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	32
PID 2152 wrote to memory of 2912	2152	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	33
PID 2152 wrote to memory of 2912	2152	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	33
PID 2152 wrote to memory of 2912	2152	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	33
PID 2152 wrote to memory of 2912	2152	29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe	33
PID 2912 wrote to memory of 2044	2912	explorer.exe	34
PID 2912 wrote to memory of 2044	2912	explorer.exe	34
PID 2912 wrote to memory of 2044	2912	explorer.exe	34
PID 2912 wrote to memory of 2044	2912	explorer.exe	34
PID 2912 wrote to memory of 2044	2912	explorer.exe	34
PID 2912 wrote to memory of 2044	2912	explorer.exe	34
PID 2912 wrote to memory of 2044	2912	explorer.exe	34
PID 2912 wrote to memory of 2044	2912	explorer.exe	34
PID 2912 wrote to memory of 2044	2912	explorer.exe	34
PID 2912 wrote to memory of 316	2912	explorer.exe	35
PID 2912 wrote to memory of 316	2912	explorer.exe	35
PID 2912 wrote to memory of 316	2912	explorer.exe	35
PID 2912 wrote to memory of 316	2912	explorer.exe	35
PID 2912 wrote to memory of 316	2912	explorer.exe	35
PID 2912 wrote to memory of 316	2912	explorer.exe	35
PID 2044 wrote to memory of 1976	2044	explorer.exe	36
PID 2044 wrote to memory of 1976	2044	explorer.exe	36
PID 2044 wrote to memory of 1976	2044	explorer.exe	36
PID 2044 wrote to memory of 1976	2044	explorer.exe	36
PID 2044 wrote to memory of 2272	2044	explorer.exe	37
PID 2044 wrote to memory of 2272	2044	explorer.exe	37
PID 2044 wrote to memory of 2272	2044	explorer.exe	37
PID 2044 wrote to memory of 2272	2044	explorer.exe	37
PID 2272 wrote to memory of 2116	2272	spoolsv.exe	38
PID 2272 wrote to memory of 2116	2272	spoolsv.exe	38
PID 2272 wrote to memory of 2116	2272	spoolsv.exe	38
PID 2272 wrote to memory of 2116	2272	spoolsv.exe	38
PID 2044 wrote to memory of 952	2044	explorer.exe	39
PID 2044 wrote to memory of 952	2044	explorer.exe	39
PID 2044 wrote to memory of 952	2044	explorer.exe	39
PID 2044 wrote to memory of 952	2044	explorer.exe	39
PID 952 wrote to memory of 1744	952	spoolsv.exe	40
PID 952 wrote to memory of 1744	952	spoolsv.exe	40
PID 952 wrote to memory of 1744	952	spoolsv.exe	40
PID 952 wrote to memory of 1744	952	spoolsv.exe	40
PID 2044 wrote to memory of 832	2044	explorer.exe	41
PID 2044 wrote to memory of 832	2044	explorer.exe	41
PID 2044 wrote to memory of 832	2044	explorer.exe	41
PID 2044 wrote to memory of 832	2044	explorer.exe	41
PID 832 wrote to memory of 1632	832	spoolsv.exe	42
PID 832 wrote to memory of 1632	832	spoolsv.exe	42
PID 832 wrote to memory of 1632	832	spoolsv.exe	42
PID 832 wrote to memory of 1632	832	spoolsv.exe	42
PID 2044 wrote to memory of 896	2044	explorer.exe	43
PID 2044 wrote to memory of 896	2044	explorer.exe	43

C:\Users\Admin\AppData\Local\Temp\29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
"C:\Users\Admin\AppData\Local\Temp\29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe
  "C:\Users\Admin\AppData\Local\Temp\29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1976
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:896
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 36
        6⤵
        Program crash
        
        PID:2168
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:316
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
3.9MB

MD5
ab666776df79673960bb46d5e707271d

SHA1
1ea9473835bdc9870cfbf6f10c6a73dc4bfa2586

SHA256
29dbdca14a2afdfc1bb152ba8fa2406adc433d76cbce1e31d0f91529094551ca

SHA512
978ccbf92c4eed0161b4285062eb79e1fdf77464a398cc1ee4c57d6aab83df37b15195c3dc15b86d90fd3fe1ebd4c39ff1e348258ef9ebc3e29ee992bbbdfa0b

Download Submit
C:\Windows\system\explorer.exe

Filesize
3.9MB

MD5
4592fe49c679cecc21714de3200259d6

SHA1
d2526026fb4c4097eeaef3dab7963e8fcb103982

SHA256
cf0ba51a1cf66bacd056409f1619dff00fe9705c48cc930f1ce66d0439e182e5

SHA512
b8586539b4a72230cec45427aca17d31aa50b88fe37c66a64736c2d236dcd6e46d14ca559bddd660a34ab5ef5a65cc7f15f92a4aa60ff9ea73e43f7b997f6f94

Download Submit
\Windows\system\spoolsv.exe

Filesize
3.9MB

MD5
9afcf2abbfa753a74e914f05e38b10b5

SHA1
d2a635c0c302b7b72688b0f8cb17b7640c0b942c

SHA256
b4aeea059554096677e15932a93b9781005edc047f83a9bc0f76f11b834e8847

SHA512
00ae94956165f5993e0b7d9ed46de0ceda08ec1e0eacfe7bc2a1d146d3f6dde82bd86d6047e60419fe539e90ed3e03d858dc6be46a76a90d6b9cc8d5b13c505c

Download Submit
memory/1004-220-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1856-39-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1856-3-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1856-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1856-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1856-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1856-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1856-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1856-21-0x00000000031D0000-0x00000000032E4000-memory.dmp

Filesize
1.1MB

Download
memory/1976-145-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1976-103-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1976-102-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1976-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1976-248-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2044-143-0x00000000033C0000-0x00000000034D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-116-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-260-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-132-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-221-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-133-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-191-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-153-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-154-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-100-0x00000000033C0000-0x00000000034D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-155-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-144-0x00000000033C0000-0x00000000034D4000-memory.dmp

Filesize
1.1MB

Download
memory/2044-114-0x00000000034C0000-0x00000000035D4000-memory.dmp

Filesize
1.1MB

Download
memory/2152-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2272-124-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2548-256-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2548-262-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2712-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-40-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2824-259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2912-87-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2912-58-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2912-54-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2912-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2912-53-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2912-52-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download