Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 19:07
Behavioral task
behavioral1
Sample
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe
-
Size
8.2MB
-
MD5
1ea215ae589f81b83b15fadc497bedad
-
SHA1
727578ca65d0787411d4b99ed7859adee76fc0ab
-
SHA256
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c
-
SHA512
b165d9ad6e72cdddc607d8ba89fdeaca114286a1bedd62839fc7266d57e0ea885ff88d4ea4e7f6595d6ab8caef37749c20af77df79d720a344321719930c07a1
-
SSDEEP
49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecw:V8e8e8f8e8e83
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000016c9d-42.dat warzonerat behavioral1/files/0x000f000000016814-80.dat warzonerat behavioral1/files/0x0008000000016cc8-95.dat warzonerat -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Processes:
resource yara_rule behavioral1/files/0x0008000000016c9d-42.dat aspack_v212_v242 behavioral1/files/0x000f000000016814-80.dat aspack_v212_v242 behavioral1/files/0x0008000000016cc8-95.dat aspack_v212_v242 -
Executes dropped EXE 13 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exepid Process 2736 explorer.exe 1580 explorer.exe 2492 spoolsv.exe 1916 spoolsv.exe 2508 spoolsv.exe 2524 spoolsv.exe 3040 spoolsv.exe 1748 spoolsv.exe 1704 spoolsv.exe 2244 spoolsv.exe 2600 spoolsv.exe 1080 spoolsv.exe 1468 svchost.exe -
Loads dropped DLL 64 IoCs
Processes:
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid Process 2732 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 2732 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1788 WerFault.exe 1788 WerFault.exe 1788 WerFault.exe 1788 WerFault.exe 1788 WerFault.exe 1788 WerFault.exe 1788 WerFault.exe 1580 explorer.exe 1580 explorer.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 1580 explorer.exe 1580 explorer.exe 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe 1580 explorer.exe 1580 explorer.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 1580 explorer.exe 1580 explorer.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 1580 explorer.exe 1580 explorer.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 1580 explorer.exe 1580 explorer.exe 2720 WerFault.exe 2720 WerFault.exe 2720 WerFault.exe 2720 WerFault.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exeexplorer.exeexplorer.exespoolsv.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" spoolsv.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exeexplorer.exespoolsv.exedescription pid Process procid_target PID 2260 set thread context of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 set thread context of 2620 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 32 PID 2736 set thread context of 1580 2736 explorer.exe 35 PID 2736 set thread context of 2996 2736 explorer.exe 36 PID 2492 set thread context of 1080 2492 spoolsv.exe 54 PID 2492 set thread context of 2576 2492 spoolsv.exe 55 -
Drops file in Windows directory 5 IoCs
Processes:
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exeexplorer.exespoolsv.exedescription ioc Process File opened for modification \??\c:\windows\system\explorer.exe 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 1788 1916 WerFault.exe 38 2808 2508 WerFault.exe 40 1736 2524 WerFault.exe 42 3044 3040 WerFault.exe 44 2964 1748 WerFault.exe 46 3012 1704 WerFault.exe 48 2720 2244 WerFault.exe 50 2832 2600 WerFault.exe 52 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exeexplorer.exesvchost.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exespoolsv.exespoolsv.exespoolsv.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exeexplorer.exepid Process 2732 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 1580 explorer.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exeexplorer.exespoolsv.exepid Process 2732 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 2732 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1080 spoolsv.exe 1080 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exedescription pid Process procid_target PID 2260 wrote to memory of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 wrote to memory of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 wrote to memory of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 wrote to memory of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 wrote to memory of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 wrote to memory of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 wrote to memory of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 wrote to memory of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 wrote to memory of 2732 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 31 PID 2260 wrote to memory of 2620 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 32 PID 2260 wrote to memory of 2620 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 32 PID 2260 wrote to memory of 2620 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 32 PID 2260 wrote to memory of 2620 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 32 PID 2260 wrote to memory of 2620 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 32 PID 2260 wrote to memory of 2620 2260 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 32 PID 2732 wrote to memory of 2736 2732 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 33 PID 2732 wrote to memory of 2736 2732 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 33 PID 2732 wrote to memory of 2736 2732 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 33 PID 2732 wrote to memory of 2736 2732 01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe 33 PID 2736 wrote to memory of 1580 2736 explorer.exe 35 PID 2736 wrote to memory of 1580 2736 explorer.exe 35 PID 2736 wrote to memory of 1580 2736 explorer.exe 35 PID 2736 wrote to memory of 1580 2736 explorer.exe 35 PID 2736 wrote to memory of 1580 2736 explorer.exe 35 PID 2736 wrote to memory of 1580 2736 explorer.exe 35 PID 2736 wrote to memory of 1580 2736 explorer.exe 35 PID 2736 wrote to memory of 1580 2736 explorer.exe 35 PID 2736 wrote to memory of 1580 2736 explorer.exe 35 PID 2736 wrote to memory of 2996 2736 explorer.exe 36 PID 2736 wrote to memory of 2996 2736 explorer.exe 36 PID 2736 wrote to memory of 2996 2736 explorer.exe 36 PID 2736 wrote to memory of 2996 2736 explorer.exe 36 PID 2736 wrote to memory of 2996 2736 explorer.exe 36 PID 2736 wrote to memory of 2996 2736 explorer.exe 36 PID 1580 wrote to memory of 2492 1580 explorer.exe 37 PID 1580 wrote to memory of 2492 1580 explorer.exe 37 PID 1580 wrote to memory of 2492 1580 explorer.exe 37 PID 1580 wrote to memory of 2492 1580 explorer.exe 37 PID 1580 wrote to memory of 1916 1580 explorer.exe 38 PID 1580 wrote to memory of 1916 1580 explorer.exe 38 PID 1580 wrote to memory of 1916 1580 explorer.exe 38 PID 1580 wrote to memory of 1916 1580 explorer.exe 38 PID 1916 wrote to memory of 1788 1916 spoolsv.exe 39 PID 1916 wrote to memory of 1788 1916 spoolsv.exe 39 PID 1916 wrote to memory of 1788 1916 spoolsv.exe 39 PID 1916 wrote to memory of 1788 1916 spoolsv.exe 39 PID 1580 wrote to memory of 2508 1580 explorer.exe 40 PID 1580 wrote to memory of 2508 1580 explorer.exe 40 PID 1580 wrote to memory of 2508 1580 explorer.exe 40 PID 1580 wrote to memory of 2508 1580 explorer.exe 40 PID 2508 wrote to memory of 2808 2508 spoolsv.exe 41 PID 2508 wrote to memory of 2808 2508 spoolsv.exe 41 PID 2508 wrote to memory of 2808 2508 spoolsv.exe 41 PID 2508 wrote to memory of 2808 2508 spoolsv.exe 41 PID 1580 wrote to memory of 2524 1580 explorer.exe 42 PID 1580 wrote to memory of 2524 1580 explorer.exe 42 PID 1580 wrote to memory of 2524 1580 explorer.exe 42 PID 1580 wrote to memory of 2524 1580 explorer.exe 42 PID 2524 wrote to memory of 1736 2524 spoolsv.exe 43 PID 2524 wrote to memory of 1736 2524 spoolsv.exe 43 PID 2524 wrote to memory of 1736 2524 spoolsv.exe 43 PID 2524 wrote to memory of 1736 2524 spoolsv.exe 43 PID 1580 wrote to memory of 3040 1580 explorer.exe 44 PID 1580 wrote to memory of 3040 1580 explorer.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe"C:\Users\Admin\AppData\Local\Temp\01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe"C:\Users\Admin\AppData\Local\Temp\01bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2492 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1080 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"6⤵PID:2576
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 366⤵
- Loads dropped DLL
- Program crash
PID:1788
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2808
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 366⤵
- Loads dropped DLL
- Program crash
PID:1736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 366⤵
- Loads dropped DLL
- Program crash
PID:3044
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 366⤵
- Loads dropped DLL
- Program crash
PID:3012
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 366⤵
- Program crash
PID:2832
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"4⤵PID:2996
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"2⤵PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.2MB
MD51ea215ae589f81b83b15fadc497bedad
SHA1727578ca65d0787411d4b99ed7859adee76fc0ab
SHA25601bf86c7df1164046942f4b2711f1a8d0686889ebdea8f86c85f046a2255e68c
SHA512b165d9ad6e72cdddc607d8ba89fdeaca114286a1bedd62839fc7266d57e0ea885ff88d4ea4e7f6595d6ab8caef37749c20af77df79d720a344321719930c07a1
-
Filesize
8.2MB
MD5aeba7563f08fe0e25697d455a83a6cb3
SHA1aa58952b4b0312b98d59f8ccf290f211d4811ad0
SHA256926b04404b6df5b467996d04cc8f3d1919964983af5531251f521f887f8dd9b8
SHA51233b66ad9a6118113156158a29622fed8dab5906e0b275ae92d884bcc332965c3b9f70054a19a776c8e1237f1d581b6a335732c12b588c96fe5754ebfbff9e5a8
-
Filesize
8.2MB
MD5d86123e6b8c7629592b304f7c439069a
SHA1259566b3e521edc640d00d75222a94c1e13ee384
SHA2565daa1307a786d5ec46dd2cdbe7eaa8c33b0ee9e5290347bed141b4da9697f1cb
SHA51204772370a6c84df5f7ba5af321bbd918727897f69ab2dc7e6d3a8cc8f0d3f6b308092e5e782a8b29571a4cfa7154f327d5f325a1774782e23e120b99a71e7c34