warzonerat | fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe
Size

8.9MB
MD5

6a052e6831d9c5e6df1443b450566850
SHA1

da413c51d398f49b7dde72f44693158797214c1a
SHA256

fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88
SHA512

d78a8999529598b978e2d34a5980a18f96c8d1210b70df5c797fcc96e2d2a665b04be055ed5907318c878d03da2da8e26bc1cf0a8c564e20b867e53ec1ee2135
SSDEEP

49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNece:K1+8e8e8f8e8e8d

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023cc1-15.dat	warzonerat
behavioral2/files/0x0008000000023cbf-30.dat	warzonerat
behavioral2/files/0x00030000000226df-45.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
1704	explorer.exe
2752	explorer.exe
3172	spoolsv.exe
5040	spoolsv.exe
4016	spoolsv.exe
1608	spoolsv.exe
2196	spoolsv.exe
4996	spoolsv.exe
2736	spoolsv.exe
2260	spoolsv.exe
800	spoolsv.exe
4652	spoolsv.exe
640	spoolsv.exe
4296	spoolsv.exe
852	spoolsv.exe
3720	spoolsv.exe
1356	spoolsv.exe
212	spoolsv.exe
64	spoolsv.exe
2372	spoolsv.exe
1220	spoolsv.exe
3836	spoolsv.exe
4024	spoolsv.exe
4544	spoolsv.exe
3948	spoolsv.exe
536	spoolsv.exe
2652	spoolsv.exe
3908	spoolsv.exe
4336	spoolsv.exe
4612	spoolsv.exe
4516	spoolsv.exe
3552	spoolsv.exe
3684	spoolsv.exe
5112	spoolsv.exe
2876	spoolsv.exe
512	spoolsv.exe
3080	spoolsv.exe
4628	spoolsv.exe
3660	spoolsv.exe
4408	spoolsv.exe
3372	spoolsv.exe
2912	spoolsv.exe
2492	spoolsv.exe
920	spoolsv.exe
4104	spoolsv.exe
3152	spoolsv.exe
1060	spoolsv.exe
1152	spoolsv.exe
2076	spoolsv.exe
1724	spoolsv.exe
4692	spoolsv.exe
4780	spoolsv.exe
768	spoolsv.exe
3636	spoolsv.exe
4844	spoolsv.exe
1784	spoolsv.exe
628	spoolsv.exe
3004	spoolsv.exe
3196	spoolsv.exe
1652	spoolsv.exe
2840	spoolsv.exe
464	spoolsv.exe
4412	spoolsv.exe
1264	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4104 set thread context of 700	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	99
PID 1704 set thread context of 2752	1704	explorer.exe	102
PID 1704 set thread context of 3124	1704	explorer.exe	103

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
700	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe
700	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2752	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
700	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe
700	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 700	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	99
PID 4104 wrote to memory of 700	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	99
PID 4104 wrote to memory of 700	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	99
PID 4104 wrote to memory of 700	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	99
PID 4104 wrote to memory of 700	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	99
PID 4104 wrote to memory of 700	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	99
PID 4104 wrote to memory of 700	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	99
PID 4104 wrote to memory of 700	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	99
PID 4104 wrote to memory of 2428	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	100
PID 4104 wrote to memory of 2428	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	100
PID 4104 wrote to memory of 2428	4104	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	100
PID 700 wrote to memory of 1704	700	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	101
PID 700 wrote to memory of 1704	700	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	101
PID 700 wrote to memory of 1704	700	fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe	101
PID 1704 wrote to memory of 2752	1704	explorer.exe	102
PID 1704 wrote to memory of 2752	1704	explorer.exe	102
PID 1704 wrote to memory of 2752	1704	explorer.exe	102
PID 1704 wrote to memory of 2752	1704	explorer.exe	102
PID 1704 wrote to memory of 2752	1704	explorer.exe	102
PID 1704 wrote to memory of 2752	1704	explorer.exe	102
PID 1704 wrote to memory of 2752	1704	explorer.exe	102
PID 1704 wrote to memory of 2752	1704	explorer.exe	102
PID 1704 wrote to memory of 3124	1704	explorer.exe	103
PID 1704 wrote to memory of 3124	1704	explorer.exe	103
PID 1704 wrote to memory of 3124	1704	explorer.exe	103
PID 1704 wrote to memory of 3124	1704	explorer.exe	103
PID 1704 wrote to memory of 3124	1704	explorer.exe	103
PID 2752 wrote to memory of 3172	2752	explorer.exe	104
PID 2752 wrote to memory of 3172	2752	explorer.exe	104
PID 2752 wrote to memory of 3172	2752	explorer.exe	104
PID 2752 wrote to memory of 5040	2752	explorer.exe	105
PID 2752 wrote to memory of 5040	2752	explorer.exe	105
PID 2752 wrote to memory of 5040	2752	explorer.exe	105
PID 2752 wrote to memory of 4016	2752	explorer.exe	106
PID 2752 wrote to memory of 4016	2752	explorer.exe	106
PID 2752 wrote to memory of 4016	2752	explorer.exe	106
PID 2752 wrote to memory of 1608	2752	explorer.exe	107
PID 2752 wrote to memory of 1608	2752	explorer.exe	107
PID 2752 wrote to memory of 1608	2752	explorer.exe	107
PID 2752 wrote to memory of 2196	2752	explorer.exe	108
PID 2752 wrote to memory of 2196	2752	explorer.exe	108
PID 2752 wrote to memory of 2196	2752	explorer.exe	108
PID 2752 wrote to memory of 4996	2752	explorer.exe	109
PID 2752 wrote to memory of 4996	2752	explorer.exe	109
PID 2752 wrote to memory of 4996	2752	explorer.exe	109
PID 2752 wrote to memory of 2736	2752	explorer.exe	110
PID 2752 wrote to memory of 2736	2752	explorer.exe	110
PID 2752 wrote to memory of 2736	2752	explorer.exe	110
PID 2752 wrote to memory of 2260	2752	explorer.exe	111
PID 2752 wrote to memory of 2260	2752	explorer.exe	111
PID 2752 wrote to memory of 2260	2752	explorer.exe	111
PID 2752 wrote to memory of 800	2752	explorer.exe	112
PID 2752 wrote to memory of 800	2752	explorer.exe	112
PID 2752 wrote to memory of 800	2752	explorer.exe	112
PID 2752 wrote to memory of 4652	2752	explorer.exe	113
PID 2752 wrote to memory of 4652	2752	explorer.exe	113
PID 2752 wrote to memory of 4652	2752	explorer.exe	113
PID 2752 wrote to memory of 640	2752	explorer.exe	114
PID 2752 wrote to memory of 640	2752	explorer.exe	114
PID 2752 wrote to memory of 640	2752	explorer.exe	114
PID 2752 wrote to memory of 4296	2752	explorer.exe	115
PID 2752 wrote to memory of 4296	2752	explorer.exe	115
PID 2752 wrote to memory of 4296	2752	explorer.exe	115
PID 2752 wrote to memory of 852	2752	explorer.exe	116

C:\Users\Admin\AppData\Local\Temp\fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe
"C:\Users\Admin\AppData\Local\Temp\fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe
  "C:\Users\Admin\AppData\Local\Temp\fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88N.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:700
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:64
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5456
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:3124
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.9MB

MD5
6a052e6831d9c5e6df1443b450566850

SHA1
da413c51d398f49b7dde72f44693158797214c1a

SHA256
fadbc898d87f572dae942bfc42febf2f740ab758ebfaec0e6f5ce7b24cdb5e88

SHA512
d78a8999529598b978e2d34a5980a18f96c8d1210b70df5c797fcc96e2d2a665b04be055ed5907318c878d03da2da8e26bc1cf0a8c564e20b867e53ec1ee2135

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.9MB

MD5
b7af65ccc39f42f211672ec2f20b3034

SHA1
97659ac69f0753e015a52e3dfa20b044af49efb7

SHA256
1968d01b59252a75c0c42a94ed14d84452384adffaffbfbf85199370021b693f

SHA512
08a1a951c9dda80e5afbfa941bed8f97d3d492f48f4ac7e3081b417cafffbdb65c4b2318056b80163dbc2041b286050f1a314ac9de8b6c367053ac3903f0adf4

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.9MB

MD5
6661a4df56fce526bab1c2c6bdb7f385

SHA1
720b340ede618069fe5b2ee4b2ec668a4e0ff475

SHA256
b4344c7b24078274e463d2ccd75f9b0eba8fdaaa07d51beb4d430ccd5b977b01

SHA512
4728ed14d4bc07bf8ca4dc8312d68f9fae75b601d36f7433bf3d0073e9e3124995ac169fd489512a26da1cd6d79982b6b898b3d2962e09dfe68c5d120063f102

Download Submit
memory/64-96-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/212-94-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/436-186-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/464-180-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/512-113-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/512-134-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/536-112-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/628-175-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/640-83-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/700-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/700-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/700-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-170-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/800-78-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/852-88-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/920-152-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1060-158-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1152-160-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1220-101-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1264-182-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1356-70-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1356-92-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1424-185-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1440-184-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1440-174-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1516-183-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1608-67-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1652-167-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1652-178-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1704-23-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1704-20-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1704-19-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1704-41-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1724-144-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1724-166-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1784-173-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2076-141-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2076-163-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2196-69-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2260-76-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2372-99-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2492-150-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2580-191-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2652-115-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2736-74-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2752-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2840-179-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2876-132-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2912-148-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2912-126-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3004-176-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3004-161-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3080-136-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3124-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3124-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3124-40-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3152-156-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3172-61-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3196-177-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3372-146-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3520-189-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3552-125-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3636-171-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3660-140-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3684-128-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3720-90-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3736-190-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3836-104-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3836-81-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3908-117-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3948-110-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4016-65-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4024-106-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4104-154-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4104-1-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/4104-2-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4104-0-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4104-3-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/4104-11-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4128-187-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4296-85-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4336-97-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4336-119-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4408-143-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4412-181-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4448-192-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4516-123-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4544-108-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4544-86-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4568-188-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4612-121-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4628-138-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4652-80-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4652-59-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4692-168-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4780-169-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4844-172-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4996-72-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/5040-63-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/5112-130-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download