warzonerat | bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51aff

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
Size

8.2MB
MD5

a67389061ec513fe5bfc1215eae27650
SHA1

fa5a9c1b8ff644b9d5516cc0ceaf985052724c03
SHA256

bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51aff
SHA512

d15bf7d4aaa186d124e5edce91fc75af7a26b57e210ef1e7d93f6fd72aa3036bd9e5252063d5dd9514689fc3c5254bb195a243ee95d65f2bcd28dda4565fc2a2
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecp:V8e8e8f8e8e8G

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 25 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000016d5a-43.dat	warzonerat
behavioral1/files/0x0008000000016cf0-77.dat	warzonerat
behavioral1/files/0x0008000000016d71-99.dat	warzonerat
behavioral1/files/0x0008000000016d71-169.dat	warzonerat
behavioral1/files/0x0008000000016d71-183.dat	warzonerat
behavioral1/files/0x0008000000016d71-184.dat	warzonerat
behavioral1/files/0x0008000000016d71-182.dat	warzonerat
behavioral1/files/0x0008000000016d71-181.dat	warzonerat
behavioral1/files/0x0008000000016d71-180.dat	warzonerat
behavioral1/files/0x0008000000016d71-179.dat	warzonerat
behavioral1/files/0x0008000000016d71-178.dat	warzonerat
behavioral1/files/0x0008000000016d71-175.dat	warzonerat
behavioral1/files/0x0008000000016d71-171.dat	warzonerat
behavioral1/files/0x0008000000016d71-188.dat	warzonerat
behavioral1/files/0x0008000000016d71-203.dat	warzonerat
behavioral1/files/0x0008000000016d71-201.dat	warzonerat
behavioral1/files/0x0008000000016d71-200.dat	warzonerat
behavioral1/files/0x0008000000016d71-199.dat	warzonerat
behavioral1/files/0x0008000000016d71-197.dat	warzonerat
behavioral1/files/0x0008000000016d71-196.dat	warzonerat
behavioral1/files/0x0008000000016d71-194.dat	warzonerat
behavioral1/files/0x0008000000016d71-190.dat	warzonerat
behavioral1/files/0x0008000000016d71-216.dat	warzonerat
behavioral1/files/0x0008000000016d71-213.dat	warzonerat
behavioral1/files/0x0008000000016d71-209.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 25 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000016d5a-43.dat	aspack_v212_v242
behavioral1/files/0x0008000000016cf0-77.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-99.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-169.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-183.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-184.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-182.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-181.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-180.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-179.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-178.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-175.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-171.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-188.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-203.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-201.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-200.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-199.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-197.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-196.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-194.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-190.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-216.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-213.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d71-209.dat	aspack_v212_v242

Executes dropped EXE 9 IoCs

pid	Process
2920	explorer.exe
1800	explorer.exe
1948	spoolsv.exe
816	spoolsv.exe
1016	spoolsv.exe
1640	spoolsv.exe
2968	spoolsv.exe
2076	spoolsv.exe
1604	spoolsv.exe

Loads dropped DLL 51 IoCs

pid	Process
2012	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
2012	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
1800	explorer.exe
1800	explorer.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1800	explorer.exe
1800	explorer.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1800	explorer.exe
1800	explorer.exe
656	WerFault.exe
656	WerFault.exe
656	WerFault.exe
656	WerFault.exe
656	WerFault.exe
656	WerFault.exe
656	WerFault.exe
1800	explorer.exe
1800	explorer.exe
584	WerFault.exe
584	WerFault.exe
584	WerFault.exe
584	WerFault.exe
584	WerFault.exe
584	WerFault.exe
584	WerFault.exe
1800	explorer.exe
1800	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 set thread context of 2668	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	32
PID 2920 set thread context of 1800	2920	explorer.exe	34
PID 2920 set thread context of 1700	2920	explorer.exe	35

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2184	816	WerFault.exe	37
1072	1016	WerFault.exe	39
1204	1640	WerFault.exe
656	2968	WerFault.exe
584	2076	WerFault.exe	45
1956	1604	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2012	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2012	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
2012	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 wrote to memory of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 wrote to memory of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 wrote to memory of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 wrote to memory of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 wrote to memory of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 wrote to memory of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 wrote to memory of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 wrote to memory of 2012	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	31
PID 2484 wrote to memory of 2668	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	32
PID 2484 wrote to memory of 2668	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	32
PID 2484 wrote to memory of 2668	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	32
PID 2484 wrote to memory of 2668	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	32
PID 2484 wrote to memory of 2668	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	32
PID 2484 wrote to memory of 2668	2484	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	32
PID 2012 wrote to memory of 2920	2012	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	33
PID 2012 wrote to memory of 2920	2012	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	33
PID 2012 wrote to memory of 2920	2012	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	33
PID 2012 wrote to memory of 2920	2012	bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe	33
PID 2920 wrote to memory of 1800	2920	explorer.exe	34
PID 2920 wrote to memory of 1800	2920	explorer.exe	34
PID 2920 wrote to memory of 1800	2920	explorer.exe	34
PID 2920 wrote to memory of 1800	2920	explorer.exe	34
PID 2920 wrote to memory of 1800	2920	explorer.exe	34
PID 2920 wrote to memory of 1800	2920	explorer.exe	34
PID 2920 wrote to memory of 1800	2920	explorer.exe	34
PID 2920 wrote to memory of 1800	2920	explorer.exe	34
PID 2920 wrote to memory of 1800	2920	explorer.exe	34
PID 2920 wrote to memory of 1700	2920	explorer.exe	35
PID 2920 wrote to memory of 1700	2920	explorer.exe	35
PID 2920 wrote to memory of 1700	2920	explorer.exe	35
PID 2920 wrote to memory of 1700	2920	explorer.exe	35
PID 2920 wrote to memory of 1700	2920	explorer.exe	35
PID 2920 wrote to memory of 1700	2920	explorer.exe	35
PID 1800 wrote to memory of 1948	1800	explorer.exe	36
PID 1800 wrote to memory of 1948	1800	explorer.exe	36
PID 1800 wrote to memory of 1948	1800	explorer.exe	36
PID 1800 wrote to memory of 1948	1800	explorer.exe	36
PID 1800 wrote to memory of 816	1800	explorer.exe	37
PID 1800 wrote to memory of 816	1800	explorer.exe	37
PID 1800 wrote to memory of 816	1800	explorer.exe	37
PID 1800 wrote to memory of 816	1800	explorer.exe	37
PID 816 wrote to memory of 2184	816	spoolsv.exe	38
PID 816 wrote to memory of 2184	816	spoolsv.exe	38
PID 816 wrote to memory of 2184	816	spoolsv.exe	38
PID 816 wrote to memory of 2184	816	spoolsv.exe	38
PID 1800 wrote to memory of 1016	1800	explorer.exe	39
PID 1800 wrote to memory of 1016	1800	explorer.exe	39
PID 1800 wrote to memory of 1016	1800	explorer.exe	39
PID 1800 wrote to memory of 1016	1800	explorer.exe	39
PID 1016 wrote to memory of 1072	1016	spoolsv.exe	40
PID 1016 wrote to memory of 1072	1016	spoolsv.exe	40
PID 1016 wrote to memory of 1072	1016	spoolsv.exe	40
PID 1016 wrote to memory of 1072	1016	spoolsv.exe	40
PID 1800 wrote to memory of 1640	1800	explorer.exe	41
PID 1800 wrote to memory of 1640	1800	explorer.exe	41
PID 1800 wrote to memory of 1640	1800	explorer.exe	41
PID 1800 wrote to memory of 1640	1800	explorer.exe	41
PID 1640 wrote to memory of 1204	1640	spoolsv.exe	42
PID 1640 wrote to memory of 1204	1640	spoolsv.exe	42
PID 1640 wrote to memory of 1204	1640	spoolsv.exe	42
PID 1640 wrote to memory of 1204	1640	spoolsv.exe	42
PID 1800 wrote to memory of 2968	1800	explorer.exe	43
PID 1800 wrote to memory of 2968	1800	explorer.exe	43

C:\Users\Admin\AppData\Local\Temp\bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
"C:\Users\Admin\AppData\Local\Temp\bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe
  "C:\Users\Admin\AppData\Local\Temp\bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51affN.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1604
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 36
        6⤵
        Program crash
        
        PID:1956
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1700
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
a67389061ec513fe5bfc1215eae27650

SHA1
fa5a9c1b8ff644b9d5516cc0ceaf985052724c03

SHA256
bdf4086603e966e80a3cbdd357acf7d1ca0ac4f42aa9daa96199bcad22e51aff

SHA512
d15bf7d4aaa186d124e5edce91fc75af7a26b57e210ef1e7d93f6fd72aa3036bd9e5252063d5dd9514689fc3c5254bb195a243ee95d65f2bcd28dda4565fc2a2

Download Submit
C:\Windows\system\explorer.exe

Filesize
8.2MB

MD5
3e24457cb7454b67c33a1c1dab8da3a0

SHA1
88508c561cf41bfde21bb1f538c559080ebff184

SHA256
9ddfca3625018a340a0da45b9bafe3731cb6f0abc077fef4849c8057e820f1c4

SHA512
16fb1f14eb5a5bb6b25ae4bf3fc9902debd1539328affe352e43f513bc75eea1dcb3ab5de4e388f5925f3a3eb9ef315cd1496921c57f2b6185596fd045f4cc95

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
7.4MB

MD5
4b16dcc97b0a36dec1ed0a9fae021ee7

SHA1
dd41b78e8e31ae898f01245c2ed6363e6cef5a9f

SHA256
60b684fcda2b64ec6509d3558bb22c156a11fc7ef8a251c7d80bf53292e0f51a

SHA512
c7a0ec9f87effa7b49843ebc833cde9107b14d97b1c5317810ef9839e2ed5a7d52f37afb6ae5dad90d7d56e1b48a7a987ff74d8521835498ad1d7a38b1eacefb

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
4.9MB

MD5
c39aa716fbb96062fe040688ad255633

SHA1
cd5209d7bfd0b73ca9c3103d5eb0d2221da85679

SHA256
33caf3c681aa9d1c812f0d7d3a50e96b14e439f91ff964d5d393217dedc7b16e

SHA512
a2f9a07641c8e95f6bdfe372e00539de5ac3eb0af3b354e6ccdb4bbfc484209bdd8f3318a67d46dba56c48564cb927a6e96d7ae520fca296f705f916525cb0fc

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.6MB

MD5
37c104e2b76a6d2749635c971db6f83c

SHA1
e05e5ab1e986e3cc0aae8595b7e742a7b83b47c6

SHA256
d896a2eee5d64597550db00407803bd07f738d8f5215fb1ad9dc44c365c145b7

SHA512
a8586397c00c24282b1cfc9393d1eee72e4fff2753e4e41f5d2155881130f2ed2076db7f2c67de9872ac23077a42d9b78484ff6388c49727d0d147df51b1ed5b

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.1MB

MD5
2cb25d41764f4e81cf13f0bacf6ccbab

SHA1
91b3c3524f59b84d3721d8a6b6b624d92be8b2c1

SHA256
a7b31ccf6c7a1769df590efde49391a65a102b6ec063cc73e051d8b8fbc0d848

SHA512
769f7f7c859fb4ed626a3986ef56a56f9a4403ad84f13005632c19c0d0b3460c6f5fdac62cae75c45dc473452056f00912eb51261911307df21d78967c2fb678

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.1MB

MD5
e4aff52d41258b2b3cfb629e12f16ced

SHA1
0e38c2ae6c477f23c98b355c5759bfb334df1176

SHA256
787473f3c7cf418228ceb145fe85c484a1d4d82a0c682270a4f8aaf2e7ddf161

SHA512
d07c9c77e36156afd60becefde40225a1a5a5da6c8ad85bb8ad2e814a4e67a7d83255b14d827343a74946c8f8e448309b0c56cd8bf7fe50441f70b78dfe48253

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.2MB

MD5
4012d263ef92c5881d0abfc3f06a86bd

SHA1
2410c2111a88f446bb6cf3cfd48bd22493c08f43

SHA256
6094e882d5ca77381ffa35892856126aee9dc5b34e7a0ea0a4c65ffde0dcecbb

SHA512
4eda592db187265c64eb44f9b3c660781ee142d2f735a5b35b7a4d5713a68fb1cf91a2dc527bbdb17b33935038eb11c0008703b3e454b7986424f4cb1fbde50c

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.1MB

MD5
3cdf893d37ddee91bca730d9867449cc

SHA1
7fca62f44077f1a9da13c44167aeebdba0799d59

SHA256
059d71647e98b0a752833662385107b88dc4b85b6a22256ea39f9151e520b2e8

SHA512
c58c63f4018118f42bb26824abe7b01c89b51dd5bb41a97fdbdd33cf48e2f02b8babcd120e1c44b59c495d6a9d5eef5a0ddbeb44fe0d38d18395eebf49fb3a26

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.1MB

MD5
2ad4122e4b1bb66191264d4f0a2e941f

SHA1
a38af08551def331ac3054b46dc7773f98ebe99c

SHA256
34db2556f87f29983daee7918ec886014c9c333cdbd5ef3917930c70bd85e769

SHA512
bd1a14320e607cea91b0d7105ee786f1093051b7295497041c735c30c2c9ca6bac15c1b7ff431b3f83d7cfdba766d12219af92100b998cb1e3b39b00e8537314

Download Submit
\Windows\system\spoolsv.exe

Filesize
6.1MB

MD5
13f8b6a318383c73349ad4acaef1c37b

SHA1
70c954d06f453bf40efa09553604f5cbdf194f88

SHA256
7e0c19ecfd95a0ecdeea30712cb1c32539c7bf8397ff02af69f4fe0027055546

SHA512
67587ed5a0c5fd90b058079cd097385753859eb7afe1c2276c38adc3b7b16c9b4336f19cfc58e93e748273ececbe361047f94e3866c98b2eff46cce164fcb0c2

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.9MB

MD5
42df0420449ed9912279a8d86c74483c

SHA1
2636613884b903bdf081e750ef8987947b2db95a

SHA256
7ec10e3ff8f1558d788d81fb8e86fd88df17bfa8344609ac60444da1c2974b25

SHA512
e869a532b44b10654bc82900ce323aa8baaf26ca9dd031c5e6eabc6dc5069721f56886019873dc825a7541290fac749bb63b297c87173def6316a0f4f7b7d366

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.6MB

MD5
219491ec87c9823f0fb5d11844ce255a

SHA1
597851c06f7ec010cb8b5e95089105069e3ca4f3

SHA256
d2f53b705dbae3e1d4d1acc727fb469f66fb1f4a2151275926dd4744a3a4b03b

SHA512
e9c56269c77a691944abaa7a15bbc64581126400c8824891dd1eb1b30bfe762b6de0630649068061189980c75d3996f38ce779c97f5187c3409588c1a44c1aff

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.3MB

MD5
de67740516e4b4186b76948d1e75ebe6

SHA1
66828da4c17b886dd5353e7001a59219e6dda142

SHA256
34c5965f537380d4e6363750ff1d37147baf23aeab8ff5de67a42a4cdc0a79ae

SHA512
b423714a4224b2dbc9e1cf9bc96357c98a9e6d57d193b034a1483715b1e66900528b4a4169b940e35eaccde9ea446ab7b9ca583ace912a49834b3cf83c4e391a

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.6MB

MD5
063bbc631f387142eaab772cc33b6556

SHA1
f9ff37a7125ea9d10d8aaaca5547f17ac6a3ada2

SHA256
21238163eea69cc3afdf6344d96756c7045820dfe0280add3fb4c59fa12dd8af

SHA512
27a361568544fb967fe80529344bf789c8e6cae9abd3c95ade1815773c5eccd34c4b05260c59558b80414775662f06fa624d08bd088a4132b001780d2194cdd4

Download Submit
\Windows\system\spoolsv.exe

Filesize
5.1MB

MD5
b365fe676170f77e2d76fb4ab1d4b333

SHA1
01263f365c04d956eea749f391315dfdaf5bbace

SHA256
21932a5d763d09b1c1c97055e620e9ba8f4ad9541527a1414859d31147ffcb3a

SHA512
1f13477022f47c787ddc0b9764d52b6ded63b45bcd11cfea9670777fa2e27d2b524c52db12b3fd21686b9861823592ecb6f1100d162dbf8788a49ced211b134b

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.8MB

MD5
3cfa1f0bf4409d52fcc30f52833c0a1a

SHA1
82ab0b1a15835bbe2f1e5694410e4157a56346eb

SHA256
6a40c7e5f1ad2cdc15d6baf11ecbfa12a4202124c19b230d188340d18eb9348a

SHA512
d7b52b86d048c9b8fb162cb11d899f3a43cf89a318bdf95e2f7d09f7a421cea728de8f2574b06eaf7362f2ca782ff78b1e5625f14492d0d0e12c774465171e0b

Download Submit
\Windows\system\spoolsv.exe

Filesize
5.6MB

MD5
44684ba17eb379ad865fb25e7aeb0c58

SHA1
fa52ff45d588d122e1b7886cb551200f4ac48d1f

SHA256
6e7e5611ee8099ad9d66bef21c34f5e3a16d00e5547404eebca00bc283df2343

SHA512
bcb2168cdbc3913eab9a460ae78684d88cea2e94077f8b30ad9725e74b16a98120682e8a49eb04b0928b0ddaa83c5936426e80dfccb656a931561ad6aaa86229

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.6MB

MD5
4734234853df5bb2c3bc178b33e4a429

SHA1
33a3b9d4b05edb35213730f26e14d914a0b9092f

SHA256
921508bbbecab1c655657e725192131e6197a1990844809e6c23654a3a27a9d5

SHA512
f6cc65693a1bf006f0b9ecd6e32fd2adc2af675b9ca0b09c2d43501f9c119131ade598ed3bf10eb61ee2f6c98092f4c2ab8988f389dde28bffe03c667d8fb84c

Download Submit
\Windows\system\spoolsv.exe

Filesize
5.2MB

MD5
10056f4c976ce9e743716db2e58fb963

SHA1
07711ad45499d41577814e390d4338e1f2a975f6

SHA256
9f06fab401c84632f2ea83b6d76796f98f8ee6c78255c556cb873dc52738eb32

SHA512
2204927bff8f3ad2be4bc722ec1cc46df817bd08d54ea8163c190250d76b8ac4c7add2c7726512166a5365f33964fcd92c3d6cfa15b681625029a484c6ab808b

Download Submit
\Windows\system\spoolsv.exe

Filesize
5.1MB

MD5
f5ca97d246bcda258d4460b94e9bd559

SHA1
ace92b0b7703125e598aa9cd9bb1a719da5ec343

SHA256
7afda2dfc8d230f3d4c4405f3f50c464dc0b7377a832e1fe01a76b8979ff5da8

SHA512
9e2423a5dc414ce0c4d7112011440b1f19afed656b973ad8deb9bf123f7739ff0bce0a4c16c955c2eaf32df790e1f8c615f66a4d450c506703229433a0595650

Download Submit
\Windows\system\spoolsv.exe

Filesize
3.9MB

MD5
ba153aad460d6c5d35061122dc440da0

SHA1
0d7738532678dfe46a55d1da4b4e6294c9496d18

SHA256
8cacc6b6f8e258df482802db943accef1c88f6a767175cfa01a976d3afccc8c6

SHA512
5318898301bba45dee3a2f6a191cf0d3d89b316bbab75b8c4ae6ced79b6dc43c066bf63cd0ffe4223dd4d92eb074d808e7c40383e64207d646a78c926eacab51

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.8MB

MD5
28748d44815770c465357d5e08b41458

SHA1
60f48709126f3e469c0d857b36091e07913f2602

SHA256
8bde1dbf50c67b3f881e0dd20bbd966fca8e82a96bf2971f607efee3f3d3adf1

SHA512
956451e337a53e92b4ae67ea38b35fa3c36881b1c0499c98032f7562c10c4c2e52f6efebdbd71072c0a26efe620b7485a45e5864964098da7b56625daa74bebc

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.6MB

MD5
5977cb99cac3518905f28f1435f09a3f

SHA1
519b3dba4444b4951e596aa4189b6d74a29f5282

SHA256
908131b315e80afab303849ce7fffb6342ae8764755467d552d92553ed30014a

SHA512
18adfc031e7eeb243d0b512ae2b3411ca58f72599e61942c33be8b41f78fd4561a2661bcfd2cb5d7b74bf49d55aadc0b4d9cde82d4776118644d672a23b52b1d

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.2MB

MD5
935078dc75dfa69c52a4aae74a85adf7

SHA1
fb980a066ab618d458262b5c896d24f90f845e6d

SHA256
d95bfba2dab9b7af3475a5965511340d3cb177ca9a30d2844648e967c7448f80

SHA512
36f4cf8a930f4946a78f8faabdeb0010b57e58e65d9e9ba9d753e77d7fdc2df495d4c6db33af1316a3b834311e9ae2bf4b24d58470680cf783225d6470e3ad33

Download Submit
memory/816-130-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/816-120-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1016-143-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1604-215-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1700-91-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1800-104-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-140-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1800-138-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-139-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-214-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-195-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-119-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1800-108-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-202-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-141-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1800-176-0x00000000032C0000-0x00000000033D4000-memory.dmp

Filesize
1.1MB

Download
memory/1948-129-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1948-105-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1948-106-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1948-107-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2012-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-53-0x0000000003200000-0x0000000003314000-memory.dmp

Filesize
1.1MB

Download
memory/2012-54-0x0000000003200000-0x0000000003314000-memory.dmp

Filesize
1.1MB

Download
memory/2012-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2484-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2484-6-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2484-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2484-38-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2484-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2484-21-0x0000000001FD0000-0x00000000020E4000-memory.dmp

Filesize
1.1MB

Download
memory/2484-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2668-40-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2668-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2668-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-39-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2668-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2920-58-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2920-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2920-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2920-56-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2920-55-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2920-52-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2968-177-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download