warzonerat | 73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496

Analysis

max time kernel
118s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
Size

8.2MB
MD5

94743e590c3fa90bcddac54c6aafd890
SHA1

6f18625ff07e8e0090da94a8a2cbd13db77510ca
SHA256

73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496
SHA512

eb48f27ded31c5ad6e42f29aba19241477155f9cf65fb8729e43cb73455f6ca57b650ceffcf64612a2a6f2c5cd7600d892ee8127a865290422931740841fff8e
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecw:V8e8e8f8e8e8B

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 25 IoCs

rat

resource	yara_rule
behavioral1/memory/1680-23-0x0000000002D20000-0x0000000002E34000-memory.dmp	warzonerat
behavioral1/files/0x0007000000019643-42.dat	warzonerat
behavioral1/files/0x00080000000195c6-79.dat	warzonerat
behavioral1/files/0x000700000001975a-95.dat	warzonerat
behavioral1/files/0x000700000001975a-158.dat	warzonerat
behavioral1/files/0x000700000001975a-159.dat	warzonerat
behavioral1/files/0x000700000001975a-156.dat	warzonerat
behavioral1/files/0x000700000001975a-155.dat	warzonerat
behavioral1/files/0x000700000001975a-154.dat	warzonerat
behavioral1/files/0x000700000001975a-174.dat	warzonerat
behavioral1/files/0x000700000001975a-173.dat	warzonerat
behavioral1/files/0x000700000001975a-178.dat	warzonerat
behavioral1/files/0x000700000001975a-175.dat	warzonerat
behavioral1/files/0x000700000001975a-176.dat	warzonerat
behavioral1/files/0x000700000001975a-170.dat	warzonerat
behavioral1/files/0x000700000001975a-166.dat	warzonerat
behavioral1/files/0x000700000001975a-164.dat	warzonerat
behavioral1/files/0x000700000001975a-188.dat	warzonerat
behavioral1/files/0x000700000001975a-184.dat	warzonerat
behavioral1/files/0x000700000001975a-182.dat	warzonerat
behavioral1/files/0x000700000001975a-194.dat	warzonerat
behavioral1/files/0x000700000001975a-190.dat	warzonerat
behavioral1/files/0x000700000001975a-193.dat	warzonerat
behavioral1/files/0x000700000001975a-191.dat	warzonerat
behavioral1/files/0x000700000001975a-195.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 24 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000019643-42.dat	aspack_v212_v242
behavioral1/files/0x00080000000195c6-79.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-95.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-158.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-159.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-156.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-155.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-154.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-174.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-173.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-178.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-175.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-176.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-170.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-166.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-164.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-188.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-184.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-182.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-194.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-190.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-193.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-191.dat	aspack_v212_v242
behavioral1/files/0x000700000001975a-195.dat	aspack_v212_v242

Executes dropped EXE 8 IoCs

pid	Process
2216	explorer.exe
2756	explorer.exe
2380	spoolsv.exe
2228	spoolsv.exe
776	spoolsv.exe
1668	spoolsv.exe
108	spoolsv.exe
1748	spoolsv.exe

Loads dropped DLL 42 IoCs

pid	Process
2852	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
2852	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe
2756	explorer.exe
2756	explorer.exe
1088	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe
2756	explorer.exe
2756	explorer.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe
2756	explorer.exe
2756	explorer.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
2756	explorer.exe
2756	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 set thread context of 1788	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	31
PID 2216 set thread context of 2756	2216	explorer.exe	34
PID 2216 set thread context of 264	2216	explorer.exe	35

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1904	2228	WerFault.exe	37
1088	776	WerFault.exe	39
952	1668	WerFault.exe	41
1752	108	WerFault.exe
2604	1748	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2852	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2852	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
2852	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 wrote to memory of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 wrote to memory of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 wrote to memory of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 wrote to memory of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 wrote to memory of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 wrote to memory of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 wrote to memory of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 wrote to memory of 2852	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	30
PID 1680 wrote to memory of 1788	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	31
PID 1680 wrote to memory of 1788	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	31
PID 1680 wrote to memory of 1788	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	31
PID 1680 wrote to memory of 1788	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	31
PID 1680 wrote to memory of 1788	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	31
PID 1680 wrote to memory of 1788	1680	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	31
PID 2852 wrote to memory of 2216	2852	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	32
PID 2852 wrote to memory of 2216	2852	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	32
PID 2852 wrote to memory of 2216	2852	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	32
PID 2852 wrote to memory of 2216	2852	73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe	32
PID 2216 wrote to memory of 2756	2216	explorer.exe	34
PID 2216 wrote to memory of 2756	2216	explorer.exe	34
PID 2216 wrote to memory of 2756	2216	explorer.exe	34
PID 2216 wrote to memory of 2756	2216	explorer.exe	34
PID 2216 wrote to memory of 2756	2216	explorer.exe	34
PID 2216 wrote to memory of 2756	2216	explorer.exe	34
PID 2216 wrote to memory of 2756	2216	explorer.exe	34
PID 2216 wrote to memory of 2756	2216	explorer.exe	34
PID 2216 wrote to memory of 2756	2216	explorer.exe	34
PID 2216 wrote to memory of 264	2216	explorer.exe	35
PID 2216 wrote to memory of 264	2216	explorer.exe	35
PID 2216 wrote to memory of 264	2216	explorer.exe	35
PID 2216 wrote to memory of 264	2216	explorer.exe	35
PID 2216 wrote to memory of 264	2216	explorer.exe	35
PID 2216 wrote to memory of 264	2216	explorer.exe	35
PID 2756 wrote to memory of 2380	2756	explorer.exe	36
PID 2756 wrote to memory of 2380	2756	explorer.exe	36
PID 2756 wrote to memory of 2380	2756	explorer.exe	36
PID 2756 wrote to memory of 2380	2756	explorer.exe	36
PID 2756 wrote to memory of 2228	2756	explorer.exe	37
PID 2756 wrote to memory of 2228	2756	explorer.exe	37
PID 2756 wrote to memory of 2228	2756	explorer.exe	37
PID 2756 wrote to memory of 2228	2756	explorer.exe	37
PID 2228 wrote to memory of 1904	2228	spoolsv.exe	38
PID 2228 wrote to memory of 1904	2228	spoolsv.exe	38
PID 2228 wrote to memory of 1904	2228	spoolsv.exe	38
PID 2228 wrote to memory of 1904	2228	spoolsv.exe	38
PID 2756 wrote to memory of 776	2756	explorer.exe	39
PID 2756 wrote to memory of 776	2756	explorer.exe	39
PID 2756 wrote to memory of 776	2756	explorer.exe	39
PID 2756 wrote to memory of 776	2756	explorer.exe	39
PID 776 wrote to memory of 1088	776	spoolsv.exe	40
PID 776 wrote to memory of 1088	776	spoolsv.exe	40
PID 776 wrote to memory of 1088	776	spoolsv.exe	40
PID 776 wrote to memory of 1088	776	spoolsv.exe	40
PID 2756 wrote to memory of 1668	2756	explorer.exe	41
PID 2756 wrote to memory of 1668	2756	explorer.exe	41
PID 2756 wrote to memory of 1668	2756	explorer.exe	41
PID 2756 wrote to memory of 1668	2756	explorer.exe	41
PID 1668 wrote to memory of 952	1668	spoolsv.exe	42
PID 1668 wrote to memory of 952	1668	spoolsv.exe	42
PID 1668 wrote to memory of 952	1668	spoolsv.exe	42
PID 1668 wrote to memory of 952	1668	spoolsv.exe	42
PID 2756 wrote to memory of 108	2756	explorer.exe	43
PID 2756 wrote to memory of 108	2756	explorer.exe	43

C:\Users\Admin\AppData\Local\Temp\73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
"C:\Users\Admin\AppData\Local\Temp\73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe
  "C:\Users\Admin\AppData\Local\Temp\73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496N.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 36
        6⤵
        Program crash
        
        PID:2604
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:264
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
94743e590c3fa90bcddac54c6aafd890

SHA1
6f18625ff07e8e0090da94a8a2cbd13db77510ca

SHA256
73a5d3df22efcc947b94cfc6dd9f09f61cc27dff926b1357048c8b1d26c9a496

SHA512
eb48f27ded31c5ad6e42f29aba19241477155f9cf65fb8729e43cb73455f6ca57b650ceffcf64612a2a6f2c5cd7600d892ee8127a865290422931740841fff8e

Download Submit
C:\Windows\system\explorer.exe

Filesize
8.2MB

MD5
d22be7e239478567588a8f80cabd71c1

SHA1
007931683f3aadadaaa2c1a3512a2f0a5d76db98

SHA256
915c4ced8d69387cea33ccfedf339f6fdcb95a161075f0521c0d8b8f3def6672

SHA512
7bc9b0d125f96e0c7bad57382ef869b52e4136eaa4c8ae2c6c9354eb97a12c115a824ac9d004260853953325a7f0cdf2791238d8af29ebd1f2eacb51050c6935

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
4.4MB

MD5
43636ec9a5b02942df4ff04429b73a06

SHA1
1acf4771a710a9f5a1509ad6a99d14aa4ceda2ed

SHA256
bd2d97e4ba6cd6ac9a672337799a61a485fe94445be3b2556533c3381753703a

SHA512
fea9f4e14b87b95a1d7fc3e0f8f2cac3e4c0ad76cf3eb5c8ce2d4a1f850d99387cabc748dc24f3701a720570d499126aa83b9f5d4b5fba868f85880f5392b5d2

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.8MB

MD5
28748d44815770c465357d5e08b41458

SHA1
60f48709126f3e469c0d857b36091e07913f2602

SHA256
8bde1dbf50c67b3f881e0dd20bbd966fca8e82a96bf2971f607efee3f3d3adf1

SHA512
956451e337a53e92b4ae67ea38b35fa3c36881b1c0499c98032f7562c10c4c2e52f6efebdbd71072c0a26efe620b7485a45e5864964098da7b56625daa74bebc

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.1MB

MD5
1b1ec380f7d482fcd230d067561a655c

SHA1
2a954e7ee2914dccb8103e4a1b89f9ce52b243db

SHA256
a40d7b1b5ad0d63c9324a1523441a46ac23d2fc8d3ed6a2dde710727269e95bb

SHA512
d85a196a5d22410a8378c0065e10396e608beb1690b363ab5c0aab9d7fca7ea42d92811ca4922d3d9849ee9e3fa966a9a3e419a9e4de342c18e647015551a9dc

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.4MB

MD5
626b9446f3ee31b40c2ce9b0820e2df5

SHA1
52fd8fe9739ab5e7cd4f6b1d9181a122eaac75cd

SHA256
124056f810d36c59ebe5f4c06410198145c736acb0ac334b9abd4ad3c75aebcf

SHA512
78755a3a8fd4a3bc7eab73cf416476fd6e0c9337c16088b7aac3f2ba32959f11295aab0b395c046279f544f3d68067c9e4d0e38c8f3d73fae855e6c066485e38

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.9MB

MD5
6d32c89e9c8250454435d83e2ac722d3

SHA1
fe571cc3eea05e90eebcfd63dab60eba964e6b33

SHA256
4722f7c8b5d2c52b9f865df0179d9438d8a86247dcd00c1dfcf78facaca4357b

SHA512
17ecadb8975410f4d305d02875544b2b18932684d8b58d5e2d533d36dddb9d303f4636a603a65557a82440544fb609535cb0480e516bec5d4c1f7d41935ac051

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.0MB

MD5
18088d0dc64fe896e6adf163bcd8cc93

SHA1
f036ae0854bf00816e03ff152997326565a73877

SHA256
2bb6e41b40e04874ce353a9a00dd6f663c0e569bf43f19635e1ad35535e28873

SHA512
03f1f7beccf3e472c5ccf6d9d00672bb76f9fd64dd3142f73ee3d065b94364128bfb846b36d0abf3450d9ed662babccd68ba033da3c22da4c3aee9c4b55bd049

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.9MB

MD5
66bdfbecb737f5b0714508684655bfbd

SHA1
6a7e27818bf146593e403334c58d576544a6d145

SHA256
619bd84e9524d45802a0dc494d1b719535ec14a433a629760df5bc50cabc1efa

SHA512
20de4cbc941e9ad3bc77f47bdf6a57ff9b301dffdc1ed8c72e18f319b36fe4dd5e6a19c194f0d2421abacc836f171990492fbee0106ca147eb138a8cde432b55

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.1MB

MD5
b49287a1121d5ad267169bf442b987d7

SHA1
402d6ea61fe288f7f6990f7b422ac0ade9234832

SHA256
b8284bcc177517f784ea7f7c8dbcb743137b4cdb293a23ea7456ab76d4f47bc8

SHA512
467cfd19733bdd6492624b4424eccf359e2b19b99362d61d66226ab9fb22a1cab0098858b10ed91cce53163ed6de12d0bd9b6fd3dbed5829854501b1ddad314b

Download Submit
\Windows\system\spoolsv.exe

Filesize
3.8MB

MD5
1e63c03ab3dd62b85558db1aa9177098

SHA1
d8dd68fd81999d53de30d2ff887a6a68bbe93c8d

SHA256
a7577d27c2c8b8a6d67b3c25c70fe7619178a1d1d4771b0909e0c2955f5515bb

SHA512
af33bc1a52150c18768be1412e121d60449f11c31885322682f661479f0fa78551fa562183d1ad295ee5710483a5efabf1daca99a4dca117d0908abbc778d197

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.1MB

MD5
ebe5f5dd2ca062da034a126f49f33e39

SHA1
6110504e263d6df1a4a29fd3d5539aadfc73d3a9

SHA256
5ba4e5572e753f9fa266ce3ebebd47f64b6214f01518e52129fb6d30e1eb6fba

SHA512
2fd565578cbbe8e5e7c2099e69dcd7592bf252b79c1458be17b7ecf704c42d2d6ac76cdf550afc41150d15b30a357583b7ba5a28edf51da0d2c65f68b8859779

Download Submit
\Windows\system\spoolsv.exe

Filesize
3.8MB

MD5
78fb6d8aab327aa3181ec4a7373beda7

SHA1
91289795e2b713300b384b0a1a6b9565f076209f

SHA256
ff5cdad69024eed02e26d5fdc22413698baacb06c9ab083a085ac3fb7a46a86e

SHA512
5af29311407b33aa2cf3192516e2fe0a445a54d8c6dd2d61ff252032a3ca86e551241a88d433cda7932c9f866c08530beb13d1eece2ebc9e64c343f7ce7761b3

Download Submit
\Windows\system\spoolsv.exe

Filesize
3.6MB

MD5
3fdcc1d8f08111532d4a90ef4893dea0

SHA1
6b390cff2a446f5a9218cc4a0d574ee0f0cb090c

SHA256
a75fbad3effe4da36d1b35bf439b5cc551200c47fe896b0c548fc817642ce5b4

SHA512
0a9af73a9e0edb147f6ffc2a839918b1235643da25a467c6bcc3555cfa8654597866ffd4999dcf3ddd1df9fb86e578ebd3ac5c4c34127af4a60d07c312a86f06

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.2MB

MD5
8b52e8bb89161332334fd7c1535529c5

SHA1
b5795846ff0d7aca2842dc4100863be01d581a95

SHA256
09bf95a3f1903edf74c635afcb2a4aff75f02b7dda36192424a0281b260f4369

SHA512
2b9751a80809ff4d2de09de6d7fe35eb5bf78669fff6d8394039555f500b44ce0e70b6d81a5dfba47c36139c25a8a517d64b43a95799f0ce9d7bc5a4fdaa1da5

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.3MB

MD5
0de5f37fd1e34a18d013bf7fa3723e58

SHA1
571552fb69eb1d212275ce805b8a4e528650664c

SHA256
24c55074101aa2d318c0cfdd681b73a119b0d0c497a4495ce09b1b0e44789db5

SHA512
7b368dfe0b3449c04427bf1012620dc4c3e4f58d3112fefef94fbe82c7e4b81e8dd9d48b3a9f1233efc059bd932325c42da916eab4d6585062df4021b71706cc

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.1MB

MD5
5cd43acccedc8f60a84af17926554238

SHA1
703a686b6c4df99821851914f225e284cf4c2230

SHA256
b6da37d9a88ed62a4ce69c84a0d5e0000cf36f7b2d43f2a0f4bb1b9bd8cae57e

SHA512
933add920ccbff08252ab0e76082f12f05548cfd4ef81eecbac05bddc3ac79892a3cc3c55dfaf896a75da7383431dce6512567bdf38608bda09b7656230c4af0

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.0MB

MD5
d73803edb69db1f9c5dd1487bff9371f

SHA1
4653457b4756416678f05a890efe8ecdea0e2532

SHA256
42ffb94a00ce55c7c33ffae025cc69dca28f18d91f6fb4a3bbd42b05a897c600

SHA512
7f09b7a4b94ec653f4b90fb079f186e41bd8f5426e28b541a42944eb0b7c6e4c1f11f38dc60025df17b223544f4828107172a63e0c880e13581ebeb15432d8a3

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.6MB

MD5
2626b53f1854c6eb304f1a45582a5434

SHA1
3487d50b9ab3608068de82cc552458b5629a5834

SHA256
bf064031f0767f96dfcbeff783015a5838858bd42d17760568d6a4590617c3d8

SHA512
47a4bc4e4bb4e9cb089b504aced2301228b9f30c1064f4b9e759131f2a3ed773a4731457b98f87fec6229578997ad04b573f8afbd7d22c3da75964ea4cf0bb65

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.9MB

MD5
ee6b3b3fb81fbab364f4d999c07259e4

SHA1
2af9abf0310925b7ab8c0094cfcf8b9bf18d85ab

SHA256
16f85ab01b42cffa8d8f6b7e1936ee572d79a4fb75fb92674985ad84bfc3eb5f

SHA512
212f57fbc1d24a7a4c02f14257a6b1ac63cc35fdc308e1d7849415675ffcb6181c1160af7ed8c023a9401899c9f2c46c2388f9b4b7ae04874051080fecc8489d

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.6MB

MD5
f13d945fc143f9e56f2dd7fb8f0c22db

SHA1
b6a2212fec6edbed6365a04314fe8a691202ff14

SHA256
d8ce6ffe52757da485e271f787bb472c8c2cd86d237ac2d9d14d2f18b6f3a05b

SHA512
cbb8d52e99d5b489d2628b23ad5f0463e2cee60ff3719a4df844b0388afb67cc247ec9ea703341dcbd4b67e4254963cff7bfe33e2122b0b79b7bebb145fb90c2

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.9MB

MD5
fa5d231fa267388c70fb77eeb086ec80

SHA1
f5f3471d4549b731abd9349a843cf2623129e3bb

SHA256
eb888bb2bd7276e1729fb698696222bb0cf24590696cd68acf14fc7e8b9cfa03

SHA512
defda67cce1b47c5fc59950ac71a14494b9f8f5c6ec3265372379903c94a487d32e3bf271cc36ebbc17261b97ac90320028bf0e512a958b6f6a0d248ec0e5035

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.3MB

MD5
80b0d7263e82fc67eff7bbe16d28c23a

SHA1
abc564e6d4c29c1497893383e11018a18c2a901a

SHA256
a3539844a4538250bb2c28c2628f40b8724acc99342f7dadb0b5249c691cbd3c

SHA512
ff72ae19ebdbe66c69763ecb99a20e1093e9ff4ece29c7b42fefe64292272cb02dc4b90ef6d533a5776497b5ad7cdf358ad3f015ff14ae1277634e8ea87c2fef

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.2MB

MD5
da7e656dbb56a5def5a1f1d33dec98f6

SHA1
10bf80d2fac2ec61be6d15ad5892352beaaf4df4

SHA256
338aa70d4795bcf9e308ed7f86567846a63d6e7b0502873dd40a976936cc3f02

SHA512
7ca6072d005534f2918e30dd7bc4d5d070b3af608d133f7f54e09f1dd55bc129e81ae9c41623cadb754add5dab60556c587a07cd924395eb5bbd2d06f280c5ec

Download Submit
memory/108-171-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1680-23-0x0000000002D20000-0x0000000002E34000-memory.dmp

Filesize
1.1MB

Download
memory/1680-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1680-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1680-35-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1680-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1680-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1680-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1680-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1788-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1788-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1788-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1788-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1788-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-58-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2216-92-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2216-54-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2216-52-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2216-53-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2216-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2228-125-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2228-123-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2380-129-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2380-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2380-103-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2756-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-150-0x0000000002E40000-0x0000000002F54000-memory.dmp

Filesize
1.1MB

Download
memory/2756-172-0x0000000002E40000-0x0000000002F54000-memory.dmp

Filesize
1.1MB

Download
memory/2756-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-83-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-160-0x0000000002E40000-0x0000000002F54000-memory.dmp

Filesize
1.1MB

Download
memory/2756-97-0x0000000002E40000-0x0000000002F54000-memory.dmp

Filesize
1.1MB

Download
memory/2756-115-0x0000000002E40000-0x0000000002F54000-memory.dmp

Filesize
1.1MB

Download
memory/2756-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-141-0x0000000002E40000-0x0000000002F54000-memory.dmp

Filesize
1.1MB

Download
memory/2756-180-0x0000000002E40000-0x0000000002F54000-memory.dmp

Filesize
1.1MB

Download
memory/2756-151-0x0000000002E40000-0x0000000002F54000-memory.dmp

Filesize
1.1MB

Download
memory/2852-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2852-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2852-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2852-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2852-49-0x0000000002E50000-0x0000000002F64000-memory.dmp

Filesize
1.1MB

Download
memory/2852-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2852-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download