warzonerat | 1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
Size

8.2MB
MD5

4e62a4274a0ec4cb04a71161ce7ce2f0
SHA1

d9565c52ae41f7288ae995cf236cf7c83c0c61ff
SHA256

1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98
SHA512

ac46c2aa574c2fca975bf076afe8d77e1d580b075711d79052bf58e30a9cbb2c2b79ad0c3b5e339dd4dfddb904c70f4f7e6aaf0599f347d726e54ff1f76dce53
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecT:V8e8e8f8e8e8I

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242

Executes dropped EXE 56 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1200	explorer.exe
4752	explorer.exe
1616	spoolsv.exe
3584	spoolsv.exe
4236	spoolsv.exe
4504	spoolsv.exe
1824	spoolsv.exe
3600	spoolsv.exe
2520	spoolsv.exe
3316	spoolsv.exe
832	spoolsv.exe
4344	spoolsv.exe
4924	spoolsv.exe
4556	spoolsv.exe
4968	spoolsv.exe
364	spoolsv.exe
4628	spoolsv.exe
3256	spoolsv.exe
5072	spoolsv.exe
432	spoolsv.exe
4936	spoolsv.exe
2856	spoolsv.exe
2100	spoolsv.exe
1044	spoolsv.exe
1544	spoolsv.exe
4960	spoolsv.exe
4452	spoolsv.exe
3788	spoolsv.exe
2784	spoolsv.exe
1200	spoolsv.exe
3152	spoolsv.exe
4084	spoolsv.exe
2248	spoolsv.exe
4520	spoolsv.exe
3632	spoolsv.exe
1128	spoolsv.exe
1248	spoolsv.exe
4436	spoolsv.exe
828	spoolsv.exe
3044	spoolsv.exe
4032	spoolsv.exe
4280	spoolsv.exe
4448	spoolsv.exe
4572	spoolsv.exe
4464	spoolsv.exe
1428	spoolsv.exe
3144	spoolsv.exe
3852	spoolsv.exe
4560	spoolsv.exe
1344	spoolsv.exe
2476	spoolsv.exe
4336	spoolsv.exe
4080	spoolsv.exe
220	spoolsv.exe
5008	spoolsv.exe
324	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exeexplorer.exe

description	pid	process	target process
PID 2468 set thread context of 2052	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
PID 2468 set thread context of 2956	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	diskperf.exe
PID 1200 set thread context of 4752	1200	explorer.exe	explorer.exe
PID 1200 set thread context of 208	1200	explorer.exe	diskperf.exe

Drops file in Windows directory 3 IoCs

Processes:

1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 52 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3784	3584	WerFault.exe	spoolsv.exe
1412	4236	WerFault.exe	spoolsv.exe
1620	4504	WerFault.exe	spoolsv.exe
1320	1824	WerFault.exe	spoolsv.exe
1800	3600	WerFault.exe	spoolsv.exe
1060	2520	WerFault.exe	spoolsv.exe
4308	3316	WerFault.exe	spoolsv.exe
1384	832	WerFault.exe	spoolsv.exe
3096	4344	WerFault.exe	spoolsv.exe
380	4924	WerFault.exe	spoolsv.exe
1808	4556	WerFault.exe	spoolsv.exe
4124	4968	WerFault.exe	spoolsv.exe
4972	364	WerFault.exe	spoolsv.exe
4220	4628	WerFault.exe	spoolsv.exe
1396	3256	WerFault.exe	spoolsv.exe
4248	5072	WerFault.exe	spoolsv.exe
4036	432	WerFault.exe	spoolsv.exe
2884	4936	WerFault.exe	spoolsv.exe
2660	2856	WerFault.exe	spoolsv.exe
2588	2100	WerFault.exe	spoolsv.exe
4160	1044	WerFault.exe	spoolsv.exe
2540	1544	WerFault.exe	spoolsv.exe
4956	4960	WerFault.exe	spoolsv.exe
2728	4452	WerFault.exe	spoolsv.exe
968	3788	WerFault.exe	spoolsv.exe
5008	2784	WerFault.exe	spoolsv.exe
3212	1200	WerFault.exe	spoolsv.exe
2680	3152	WerFault.exe	spoolsv.exe
1108	4084	WerFault.exe	spoolsv.exe
3264	2248	WerFault.exe	spoolsv.exe
2992	4520	WerFault.exe	spoolsv.exe
4892	3632	WerFault.exe	spoolsv.exe
1800	1128	WerFault.exe	spoolsv.exe
3888	1248	WerFault.exe	spoolsv.exe
1384	4436	WerFault.exe	spoolsv.exe
3096	828	WerFault.exe	spoolsv.exe
2504	3044	WerFault.exe	spoolsv.exe
1808	4032	WerFault.exe	spoolsv.exe
3500	4280	WerFault.exe	spoolsv.exe
4972	4448	WerFault.exe	spoolsv.exe
4220	4572	WerFault.exe	spoolsv.exe
4568	4464	WerFault.exe	spoolsv.exe
1972	1428	WerFault.exe	spoolsv.exe
2336	3144	WerFault.exe	spoolsv.exe
1728	3852	WerFault.exe	spoolsv.exe
4404	4560	WerFault.exe	spoolsv.exe
3060	1344	WerFault.exe	spoolsv.exe
2904	2476	WerFault.exe	spoolsv.exe
760	4336	WerFault.exe	spoolsv.exe
2964	4080	WerFault.exe	spoolsv.exe
1520	220	WerFault.exe	spoolsv.exe
2376	5008	WerFault.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exeexplorer.exeexplorer.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exeexplorer.exe

pid	process
2052	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
2052	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exeexplorer.exe

pid	process
2052	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
2052	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2468 wrote to memory of 2052	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
PID 2468 wrote to memory of 2052	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
PID 2468 wrote to memory of 2052	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
PID 2468 wrote to memory of 2052	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
PID 2468 wrote to memory of 2052	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
PID 2468 wrote to memory of 2052	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
PID 2468 wrote to memory of 2052	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
PID 2468 wrote to memory of 2052	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
PID 2468 wrote to memory of 2956	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	diskperf.exe
PID 2468 wrote to memory of 2956	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	diskperf.exe
PID 2468 wrote to memory of 2956	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	diskperf.exe
PID 2468 wrote to memory of 2956	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	diskperf.exe
PID 2468 wrote to memory of 2956	2468	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	diskperf.exe
PID 2052 wrote to memory of 1200	2052	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	explorer.exe
PID 2052 wrote to memory of 1200	2052	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	explorer.exe
PID 2052 wrote to memory of 1200	2052	1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe	explorer.exe
PID 1200 wrote to memory of 4752	1200	explorer.exe	explorer.exe
PID 1200 wrote to memory of 4752	1200	explorer.exe	explorer.exe
PID 1200 wrote to memory of 4752	1200	explorer.exe	explorer.exe
PID 1200 wrote to memory of 4752	1200	explorer.exe	explorer.exe
PID 1200 wrote to memory of 4752	1200	explorer.exe	explorer.exe
PID 1200 wrote to memory of 4752	1200	explorer.exe	explorer.exe
PID 1200 wrote to memory of 4752	1200	explorer.exe	explorer.exe
PID 1200 wrote to memory of 4752	1200	explorer.exe	explorer.exe
PID 1200 wrote to memory of 208	1200	explorer.exe	diskperf.exe
PID 1200 wrote to memory of 208	1200	explorer.exe	diskperf.exe
PID 1200 wrote to memory of 208	1200	explorer.exe	diskperf.exe
PID 1200 wrote to memory of 208	1200	explorer.exe	diskperf.exe
PID 1200 wrote to memory of 208	1200	explorer.exe	diskperf.exe
PID 4752 wrote to memory of 1616	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 1616	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 1616	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 3584	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 3584	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 3584	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4236	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4236	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4236	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4504	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4504	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4504	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 1824	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 1824	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 1824	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 3600	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 3600	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 3600	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 2520	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 2520	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 2520	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 3316	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 3316	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 3316	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 832	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 832	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 832	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4344	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4344	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4344	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4924	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4924	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4924	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4556	4752	explorer.exe	spoolsv.exe
PID 4752 wrote to memory of 4556	4752	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
"C:\Users\Admin\AppData\Local\Temp\1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe
  "C:\Users\Admin\AppData\Local\Temp\1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2052
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 200
        6⤵
        Program crash
        
        PID:3784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4236
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 192
        6⤵
        Program crash
        
        PID:1412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 192
        6⤵
        Program crash
        
        PID:1620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 192
        6⤵
        Program crash
        
        PID:1320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 192
        6⤵
        Program crash
        
        PID:1800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 192
        6⤵
        Program crash
        
        PID:1060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 192
        6⤵
        Program crash
        
        PID:4308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 192
        6⤵
        Program crash
        
        PID:1384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 192
        6⤵
        Program crash
        
        PID:3096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 192
        6⤵
        Program crash
        
        PID:380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 192
        6⤵
        Program crash
        
        PID:1808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4968
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 192
        6⤵
        Program crash
        
        PID:4124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 192
        6⤵
        Program crash
        
        PID:4972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 192
        6⤵
        Program crash
        
        PID:4220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 192
        6⤵
        Program crash
        
        PID:1396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 192
        6⤵
        Program crash
        
        PID:4248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 192
        6⤵
        Program crash
        
        PID:4036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 192
        6⤵
        Program crash
        
        PID:2884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 192
        6⤵
        Program crash
        
        PID:2660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 192
        6⤵
        Program crash
        
        PID:2588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 192
        6⤵
        Program crash
        
        PID:4160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 192
        6⤵
        Program crash
        
        PID:2540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 192
        6⤵
        Program crash
        
        PID:4956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 192
        6⤵
        Program crash
        
        PID:2728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 192
        6⤵
        Program crash
        
        PID:968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2784
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 192
        6⤵
        Program crash
        
        PID:5008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 192
        6⤵
        Program crash
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3152
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 192
        6⤵
        Program crash
        
        PID:2680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 192
        6⤵
        Program crash
        
        PID:1108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 192
        6⤵
        Program crash
        
        PID:3264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 192
        6⤵
        Program crash
        
        PID:2992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 192
        6⤵
        Program crash
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 192
        6⤵
        Program crash
        
        PID:1800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 192
        6⤵
        Program crash
        
        PID:3888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 192
        6⤵
        Program crash
        
        PID:1384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:828
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 192
        6⤵
        Program crash
        
        PID:3096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192
        6⤵
        Program crash
        
        PID:2504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 192
        6⤵
        Program crash
        
        PID:1808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 192
        6⤵
        Program crash
        
        PID:3500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 192
        6⤵
        Program crash
        
        PID:4972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 192
        6⤵
        Program crash
        
        PID:4220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 192
        6⤵
        Program crash
        
        PID:4568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 192
        6⤵
        Program crash
        
        PID:1972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 192
        6⤵
        Program crash
        
        PID:2336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 192
        6⤵
        Program crash
        
        PID:1728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 192
        6⤵
        Program crash
        
        PID:4404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 200
        6⤵
        Program crash
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 192
        6⤵
        Program crash
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 192
        6⤵
        Program crash
        
        PID:760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 192
        6⤵
        Program crash
        
        PID:2964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 192
        6⤵
        Program crash
        
        PID:1520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 192
        6⤵
        Program crash
        
        PID:2376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:324
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:208
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3584 -ip 3584
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4236 -ip 4236
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4504 -ip 4504
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1824 -ip 1824
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3600 -ip 3600
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2520 -ip 2520
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3316 -ip 3316
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 832 -ip 832
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4344 -ip 4344
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4924 -ip 4924
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4556 -ip 4556
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4968 -ip 4968
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 364 -ip 364
1⤵
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4628 -ip 4628
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3256 -ip 3256
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5072 -ip 5072
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 432 -ip 432
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4936 -ip 4936
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2856 -ip 2856
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2100 -ip 2100
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1044 -ip 1044
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1544 -ip 1544
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4452 -ip 4452
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3788 -ip 3788
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2784 -ip 2784
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1200 -ip 1200
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3152 -ip 3152
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4084 -ip 4084
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2248 -ip 2248
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4520 -ip 4520
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3632 -ip 3632
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1128 -ip 1128
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1248 -ip 1248
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4436 -ip 4436
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 828 -ip 828
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3044 -ip 3044
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4032 -ip 4032
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4280 -ip 4280
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4448 -ip 4448
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4572 -ip 4572
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4464 -ip 4464
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1428 -ip 1428
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3144 -ip 3144
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3852 -ip 3852
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4560 -ip 4560
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1344 -ip 1344
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2476 -ip 2476
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4336 -ip 4336
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4080 -ip 4080
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 220 -ip 220
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5008 -ip 5008
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 324 -ip 324
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
4e62a4274a0ec4cb04a71161ce7ce2f0

SHA1
d9565c52ae41f7288ae995cf236cf7c83c0c61ff

SHA256
1c820fcba0278fc3b44eddd77706776243e7fd0ad4e49d5291dda6aac57f8c98

SHA512
ac46c2aa574c2fca975bf076afe8d77e1d580b075711d79052bf58e30a9cbb2c2b79ad0c3b5e339dd4dfddb904c70f4f7e6aaf0599f347d726e54ff1f76dce53

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.2MB

MD5
6d668e3ea95cc98890712ee1cf262667

SHA1
2fc7a9535ae737a2522c9f8209c0eb9678a7cf68

SHA256
a63a24c1c200613b7e96cd40b910f7a2a12d65331fc8553da6b1b200dede553e

SHA512
cc571295937021950b624dec118759f55327943445735cced4453b100534f5b96c37f4418c3a9982b7a4d9c0a449befe580e3d94a0023b11e3df4e41d0de8269

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
6.1MB

MD5
2a1d18619ee2a2637fd5fd78595bc32c

SHA1
51c3238cd1862f2b8be8b5267ab8cd9b9b4565e0

SHA256
851496f026ab6b96df14eb8c1279b7fe09eca42c4ec7da1a1151635fdd013452

SHA512
81289d1e9df3aa3dc1facc09bba8904052297db4c035e39271a80b19c3c4147f4c9f0a41cc8bce986d2253cf23d129d019694a64feed32a1938d6d081966170a

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.2MB

MD5
6aa25eed8d1e9cd92858222826b5cf16

SHA1
ea4a1a891b9e4260c3684ebd68430ae16b27ef9f

SHA256
0d5db67235eb0ff37081e9539eba07e9ad8b15f7c170a064ea291e5b0eeea807

SHA512
3a2f5598b18cf50c77ed79817aeb5c7e2364f6f6715447baa2d80cb829bfd67ac5adc4e6d7f13677e83d72e10694133f434c32a99ba5eed2347122c0e1d75031

Download Submit
memory/208-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/220-132-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1128-110-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1200-35-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1200-56-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1200-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1200-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1200-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1200-33-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1616-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1616-64-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1616-81-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1616-63-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2052-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2052-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2052-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-6-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2468-3-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2468-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2468-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2468-22-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2468-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2956-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2956-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2956-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3584-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3584-69-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4236-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4344-82-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4464-121-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4752-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download