warzonerat | dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822d

Analysis

max time kernel
117s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
Size

8.2MB
MD5

de399ee5f64c1f9510ade80df9dcee80
SHA1

7902c4ae51e346105653482db4d4be2aa1cc35f2
SHA256

dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822d
SHA512

872b0115be83ab59cc76a40a88b65aca8e834aa6a77d5ba652989dd0f01312a3aedba0427da8c62f4d0745b0e0d409715eed948cd8438caff0b858523733ea9d
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNeco:V8e8e8f8e8e8D

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 25 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000018b05-45.dat	warzonerat
behavioral1/files/0x00080000000186bb-82.dat	warzonerat
behavioral1/files/0x0008000000018b50-96.dat	warzonerat
behavioral1/files/0x0008000000018b50-167.dat	warzonerat
behavioral1/files/0x0008000000018b50-180.dat	warzonerat
behavioral1/files/0x0008000000018b50-179.dat	warzonerat
behavioral1/files/0x0008000000018b50-181.dat	warzonerat
behavioral1/files/0x0008000000018b50-178.dat	warzonerat
behavioral1/files/0x0008000000018b50-177.dat	warzonerat
behavioral1/files/0x0008000000018b50-176.dat	warzonerat
behavioral1/files/0x0008000000018b50-175.dat	warzonerat
behavioral1/files/0x0008000000018b50-169.dat	warzonerat
behavioral1/files/0x0008000000018b50-185.dat	warzonerat
behavioral1/files/0x0008000000018b50-199.dat	warzonerat
behavioral1/files/0x0008000000018b50-200.dat	warzonerat
behavioral1/files/0x0008000000018b50-197.dat	warzonerat
behavioral1/files/0x0008000000018b50-196.dat	warzonerat
behavioral1/files/0x0008000000018b50-195.dat	warzonerat
behavioral1/files/0x0008000000018b50-194.dat	warzonerat
behavioral1/files/0x0008000000018b50-191.dat	warzonerat
behavioral1/files/0x0008000000018b50-187.dat	warzonerat
behavioral1/files/0x0008000000018b50-210.dat	warzonerat
behavioral1/files/0x0008000000018b50-208.dat	warzonerat
behavioral1/files/0x0008000000018b50-204.dat	warzonerat
behavioral1/files/0x0008000000018b50-202.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 25 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000018b05-45.dat	aspack_v212_v242
behavioral1/files/0x00080000000186bb-82.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-96.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-167.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-180.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-179.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-181.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-178.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-177.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-176.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-175.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-169.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-185.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-199.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-200.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-197.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-196.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-195.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-194.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-191.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-187.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-210.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-208.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-204.dat	aspack_v212_v242
behavioral1/files/0x0008000000018b50-202.dat	aspack_v212_v242

Executes dropped EXE 9 IoCs

pid	Process
2020	explorer.exe
1564	explorer.exe
2376	spoolsv.exe
1220	spoolsv.exe
2104	spoolsv.exe
2084	spoolsv.exe
3040	spoolsv.exe
2140	spoolsv.exe
2592	spoolsv.exe

Loads dropped DLL 51 IoCs

pid	Process
2700	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
2700	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1428	WerFault.exe
1428	WerFault.exe
1428	WerFault.exe
1428	WerFault.exe
1428	WerFault.exe
1428	WerFault.exe
1428	WerFault.exe
1564	explorer.exe
1564	explorer.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1564	explorer.exe
1564	explorer.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
1564	explorer.exe
1564	explorer.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1564	explorer.exe
1564	explorer.exe
1408	WerFault.exe
1408	WerFault.exe
1408	WerFault.exe
1408	WerFault.exe
1408	WerFault.exe
1408	WerFault.exe
1408	WerFault.exe
1564	explorer.exe
1564	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 564 set thread context of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 set thread context of 2696	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	31
PID 2020 set thread context of 1564	2020	explorer.exe	33
PID 2020 set thread context of 588	2020	explorer.exe	34

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
1428	1220	WerFault.exe	36
1020	2104	WerFault.exe	38
888	2084	WerFault.exe	40
1692	3040	WerFault.exe	42
1408	2140	WerFault.exe	44
2576	2592	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2700	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2700	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
2700	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 wrote to memory of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 wrote to memory of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 wrote to memory of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 wrote to memory of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 wrote to memory of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 wrote to memory of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 wrote to memory of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 wrote to memory of 2700	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	30
PID 564 wrote to memory of 2696	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	31
PID 564 wrote to memory of 2696	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	31
PID 564 wrote to memory of 2696	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	31
PID 564 wrote to memory of 2696	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	31
PID 564 wrote to memory of 2696	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	31
PID 564 wrote to memory of 2696	564	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	31
PID 2700 wrote to memory of 2020	2700	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	32
PID 2700 wrote to memory of 2020	2700	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	32
PID 2700 wrote to memory of 2020	2700	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	32
PID 2700 wrote to memory of 2020	2700	dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe	32
PID 2020 wrote to memory of 1564	2020	explorer.exe	33
PID 2020 wrote to memory of 1564	2020	explorer.exe	33
PID 2020 wrote to memory of 1564	2020	explorer.exe	33
PID 2020 wrote to memory of 1564	2020	explorer.exe	33
PID 2020 wrote to memory of 1564	2020	explorer.exe	33
PID 2020 wrote to memory of 1564	2020	explorer.exe	33
PID 2020 wrote to memory of 1564	2020	explorer.exe	33
PID 2020 wrote to memory of 1564	2020	explorer.exe	33
PID 2020 wrote to memory of 1564	2020	explorer.exe	33
PID 2020 wrote to memory of 588	2020	explorer.exe	34
PID 2020 wrote to memory of 588	2020	explorer.exe	34
PID 2020 wrote to memory of 588	2020	explorer.exe	34
PID 2020 wrote to memory of 588	2020	explorer.exe	34
PID 2020 wrote to memory of 588	2020	explorer.exe	34
PID 2020 wrote to memory of 588	2020	explorer.exe	34
PID 1564 wrote to memory of 2376	1564	explorer.exe	35
PID 1564 wrote to memory of 2376	1564	explorer.exe	35
PID 1564 wrote to memory of 2376	1564	explorer.exe	35
PID 1564 wrote to memory of 2376	1564	explorer.exe	35
PID 1564 wrote to memory of 1220	1564	explorer.exe	36
PID 1564 wrote to memory of 1220	1564	explorer.exe	36
PID 1564 wrote to memory of 1220	1564	explorer.exe	36
PID 1564 wrote to memory of 1220	1564	explorer.exe	36
PID 1220 wrote to memory of 1428	1220	spoolsv.exe	37
PID 1220 wrote to memory of 1428	1220	spoolsv.exe	37
PID 1220 wrote to memory of 1428	1220	spoolsv.exe	37
PID 1220 wrote to memory of 1428	1220	spoolsv.exe	37
PID 1564 wrote to memory of 2104	1564	explorer.exe	38
PID 1564 wrote to memory of 2104	1564	explorer.exe	38
PID 1564 wrote to memory of 2104	1564	explorer.exe	38
PID 1564 wrote to memory of 2104	1564	explorer.exe	38
PID 2104 wrote to memory of 1020	2104	spoolsv.exe	39
PID 2104 wrote to memory of 1020	2104	spoolsv.exe	39
PID 2104 wrote to memory of 1020	2104	spoolsv.exe	39
PID 2104 wrote to memory of 1020	2104	spoolsv.exe	39
PID 1564 wrote to memory of 2084	1564	explorer.exe	40
PID 1564 wrote to memory of 2084	1564	explorer.exe	40
PID 1564 wrote to memory of 2084	1564	explorer.exe	40
PID 1564 wrote to memory of 2084	1564	explorer.exe	40
PID 2084 wrote to memory of 888	2084	spoolsv.exe	41
PID 2084 wrote to memory of 888	2084	spoolsv.exe	41
PID 2084 wrote to memory of 888	2084	spoolsv.exe	41
PID 2084 wrote to memory of 888	2084	spoolsv.exe	41
PID 1564 wrote to memory of 3040	1564	explorer.exe	42
PID 1564 wrote to memory of 3040	1564	explorer.exe	42

C:\Users\Admin\AppData\Local\Temp\dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
"C:\Users\Admin\AppData\Local\Temp\dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe
  "C:\Users\Admin\AppData\Local\Temp\dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822dN.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 36
        6⤵
        Program crash
        
        PID:2576
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:588
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
de399ee5f64c1f9510ade80df9dcee80

SHA1
7902c4ae51e346105653482db4d4be2aa1cc35f2

SHA256
dc537336e2cea4bd5132360dbe99748b5b56dbc4aa67265a5bbe5dd97d54822d

SHA512
872b0115be83ab59cc76a40a88b65aca8e834aa6a77d5ba652989dd0f01312a3aedba0427da8c62f4d0745b0e0d409715eed948cd8438caff0b858523733ea9d

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
3.4MB

MD5
e5754560f704b142e7b19db603dd21d5

SHA1
647a73af1da7acc40520f006c8e58b76766ad5e4

SHA256
1d278189e0af2ba68ad98e0b7df53a14719f8b6464e240306d79ee4c8646a100

SHA512
0f872d79cb27e33144ed2f392f43f3985dd2fac7f18d590ce34af28054312be57e157f7bddac85e19a8a3f65145486075f93ce1529b69e42ab41884a9281404f

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.4MB

MD5
9924cd5126b8f8e7ef1636aaa5e247c6

SHA1
9d6bc6309f8725eea40200cba8bca67df86bae9d

SHA256
cfe389ed68770b40e3453d5e44f088a71bbec1bc4d5e8c8666a5c6ac6163c7bc

SHA512
531cdb5fc9750933747e997601552bd2acae1ea3964d720b6c057f05c1176af1ccf70e1f648cd235c1df38957d43b6203bb4be6350ce5523dee43d2ec2e38390

Download Submit
\Windows\system\explorer.exe

Filesize
8.2MB

MD5
d94a8b7fb7e617f1e97765c8c71fbc17

SHA1
66f24f25ea0e199225b2d4ec9714159718800efb

SHA256
06dac130584cc5db3656963385ea84130499c05010138cede1b21b146cdee0e6

SHA512
717d251257002ae63ef29ce02d15776a31d759fe57f15f6e14bb49ec38854904f09ef7fb91c41705019675789de8db755abfeafb85cefe308f1f407a5ed86c62

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.8MB

MD5
042eac7e38d3f1235b731c52ba6e62cb

SHA1
e43097e193986eca9e710aaa62ceaa59eb4638df

SHA256
0379cfc03971793c6a364fd3dba0902507dc0577a6e7ffc65fe3e984f5c02c71

SHA512
7f7126d22d585b792ee8f0319203113e351bbb43c58f283aed027af3fca2ec5c68bdea8999d553f077ae6173c373a9163b136212ad938566a541bad2b1caae86

Download Submit
\Windows\system\spoolsv.exe

Filesize
5.7MB

MD5
3cd253306716d7e6842de119263d7107

SHA1
34ef683a22b245ed4381fdc354db00fddbb6cdfd

SHA256
e1f139810e004b0162959f7e07cabf11458eb6f2fd2ddfb7d2a53d89be3706ae

SHA512
35aa4306aff3ba43871e36e37ed179f2df8db09b31936c8e34f49c390562d9e72da74daae66e653570e368783555bf1d7fcd535fa878fc8fb48f3bbeb305317d

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.9MB

MD5
2b1b81bc27a1a851ff971d3b0c9aefde

SHA1
b6b45faabc1bc1d420af3d675754820715f93256

SHA256
a16e9e093f7e861b4d0c24ef1f4c1d1465471ec5649a284064854e8119c36797

SHA512
da9877e400b3528c0b3eac2af8116bbf3ed2c09c8ed52b380e8a4e34226191e4a4eb30d7598fea9f8c562baf86219db5847a07f268097d8c86a7f894e4ce14e5

Download Submit
\Windows\system\spoolsv.exe

Filesize
5.0MB

MD5
419412ce60f112e26fdbeac5aa819737

SHA1
5f6cec22006395ad362e39897782430dea2f02db

SHA256
049c46e41583c047485860f940597a435a05966a4b2ec7206723f48064bd3cd1

SHA512
913ce46dc6aa1552dd77b6bf1309239eae5a66848a0f51c070f0376aa6e4ebf9ab6581e22fa930b5b04fdbcc58c223c1302253c5de4ab6cf398ea6a801dbaaf2

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.6MB

MD5
617e80e4e60615dcf4b359fedb8855f8

SHA1
2eacfe7caada701b3e6654e6bf7df0220a33a4a2

SHA256
be8407d302897c85dc3b668a1600099bf2d97cd5d48623815d8d681cf86956bf

SHA512
09d681a50f1804cb23004c6cae1116601d4f2fa88208c5206b7e9dbaecb335eb1cf8124cb54554666fbcfc77eaf0d67faed10f49d0f766c5326ff8ea86b7dfea

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.5MB

MD5
864adfcd7722a66dc53c4d8b398beb0e

SHA1
8f304eeca7e4c9cf73ad3baa4d021c6419de3dbc

SHA256
d522be96b13cd08d20b2a660a89d5b9fb2c003cba545d2d4729fa8f766b41f44

SHA512
c26a9d709c793678bb4764890de7b0e79bc467a617f522bc9d2bc1354cf911c123ff167e74b87ea82bc4307e22a2200f94b8e6d0bf90e099f7acfd39ec7ac1c9

Download Submit
\Windows\system\spoolsv.exe

Filesize
3.9MB

MD5
ba153aad460d6c5d35061122dc440da0

SHA1
0d7738532678dfe46a55d1da4b4e6294c9496d18

SHA256
8cacc6b6f8e258df482802db943accef1c88f6a767175cfa01a976d3afccc8c6

SHA512
5318898301bba45dee3a2f6a191cf0d3d89b316bbab75b8c4ae6ced79b6dc43c066bf63cd0ffe4223dd4d92eb074d808e7c40383e64207d646a78c926eacab51

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.7MB

MD5
490d8238c5ac051efa24f5e81c82a88e

SHA1
cd4517ab4892d204506fbcb886e1b559508322e6

SHA256
ffb566410236c4bdbcd67c1225fdf90e9e70ebd0704770562a6edab05b8b919c

SHA512
3becada8af54b820b7aff12a9c82506fdd2884e4b12efc605be8a82ac813d87be6ba98020f466d5ef493dfbc6f540f0359ffb22324993870b74cb0de16868215

Download Submit
\Windows\system\spoolsv.exe

Filesize
5.1MB

MD5
f5ca97d246bcda258d4460b94e9bd559

SHA1
ace92b0b7703125e598aa9cd9bb1a719da5ec343

SHA256
7afda2dfc8d230f3d4c4405f3f50c464dc0b7377a832e1fe01a76b8979ff5da8

SHA512
9e2423a5dc414ce0c4d7112011440b1f19afed656b973ad8deb9bf123f7739ff0bce0a4c16c955c2eaf32df790e1f8c615f66a4d450c506703229433a0595650

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
f25210466aed0f4ffee22a9c764fc0dd

SHA1
fe7adb8de8f37e54d29b4e3ae5e0c148c3950348

SHA256
613cdf400faf3242e680e2c812d35721d12a0a16f5e7178b50c37e3facef927b

SHA512
3ce854ee9c2c9b8474fd299ad790b2c366309b5594e203adb015914d4d1a0eb81d60d68bd710adb77340611be6f7bc1020dd27d14548f81b336c1ced0313c429

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.6MB

MD5
f82eebd6fee380d7623b7d343d03a6b5

SHA1
c47eb41595d369bdd4f1b0c72cd7c13d2604081f

SHA256
f8373cbd5edb9c07471f742c813296769bbedd5dd0fc9e1c81965e62ec19d74b

SHA512
f6d66a2c57aadb92198624d5ac921ea660164648411c719b6c6aef687691590c4477c7bbdf0d52a74149129e79947d289324cce10a307723cc8e47bbb60df6ab

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.6MB

MD5
28621b348d2ce28bf2ad2593c3de5b97

SHA1
0e916d17be87a68a00ae7f2399aa9724e15d2680

SHA256
6978bddc630de1ba1b61d60e0a2a9155bec9f1fac36c8039fe1f207ba7e2db23

SHA512
069e24c95ce248331ceded7bff8651fbb4e514b11202fcf88ecf0a857c65acf9efbd2a07fc10e832ad0ab8b88ec74f131237dc78662cb98b884e408b57fed064

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.6MB

MD5
3576704d4116066092ca4c6cd0381753

SHA1
8490b9fe04ff64d4e9df64aad3bee1d10dc7dc5f

SHA256
783e510ade99f8f888977fb86c8114d46f8d72613a62b8da662ca1da80dd3ef9

SHA512
dd6d0b1652e75d56c57b0f84eda7dda51aadbab1cb3224db4536024be6acac773a17eb4d72dd42c488b298039e682e1be67521653a547188b1599c1d38dae3f0

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.7MB

MD5
c688b326c322d63444db8e1d1ffd4f61

SHA1
a3643e2cfc51e905467db91c830c67777f10ae5b

SHA256
f5783619d56c1970ad717484fbf073c93ea881494977e110be8e50a28a915157

SHA512
00eee7983203d917bce8ecc374a1b792e4f78173c798da24b3e59a38d76edd77316ceba01d0301534150a9814df0ba396fe1805024a19f0c47a9a04f2ed83ffb

Download Submit
\Windows\system\spoolsv.exe

Filesize
3.6MB

MD5
219868bc0f3b45f5a8c7571acb6b3e83

SHA1
1922b7177ec27f20e255c55776be0c5012d193ac

SHA256
3d1e734da56afc0ecc8151d3fe48fadbbba6a190694f87dc614b9e4d89765f74

SHA512
54e59c89622ae3b95ba5fe7a47381ee39c5a49d9d325d3533a68082135a373e58cd39fe490206ce780dc22fe415146eb9085d45a8e5999dd06f3850f9d0a490c

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.8MB

MD5
0ef4b0336835b20e5d6f76dad925a6f9

SHA1
50d888cb6c4878aac863bc66d8fba4716f7ab1c9

SHA256
00efdd1e1f95b33e0a93cc0fe1718e42ec60037fb5d3a413ce6cf1ba7a85525c

SHA512
c4575c1601dee032684da3268b40df79091534808f9350ebbe7c52c16c3bdbd8777e79143da502a185c56d914d50a255f21d236203209310c69fb0ecd3f7cd36

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.6MB

MD5
d0c653173352aa444854ca2c18439dc1

SHA1
e7755dd50cea9ce1347e1542d6d5e74d178fa2cf

SHA256
79c5a179fedc2a5596ee6f30bb51400afd39c52585372406f871afa0bffd9ae2

SHA512
983a7ba8259c0eea7ffb3cc84c7a3bdb66bbc3e5fd3b68fd216d55b15d2e0401fc52d0f3d07f5c38a98366a825f535bb57447405a1be02656cde5529c4ff2b49

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.6MB

MD5
37c104e2b76a6d2749635c971db6f83c

SHA1
e05e5ab1e986e3cc0aae8595b7e742a7b83b47c6

SHA256
d896a2eee5d64597550db00407803bd07f738d8f5215fb1ad9dc44c365c145b7

SHA512
a8586397c00c24282b1cfc9393d1eee72e4fff2753e4e41f5d2155881130f2ed2076db7f2c67de9872ac23077a42d9b78484ff6388c49727d0d147df51b1ed5b

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.6MB

MD5
fa5dd0102d6b2f0734e2bb1afd9d2f74

SHA1
3a8aef671d7874a17aee5075b84912da4b241a37

SHA256
6e565dc44e8efeb81bc0899689f3bb9c5d8a4dc63d18134017cffdc30828b1ee

SHA512
d88328a300e503959696ee799f6830b0fb68304225d5a1592460281658e296797c30315d931bb133c5c5bc13245e98628a77705b0cb99eef59e2313d556dc507

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.1MB

MD5
80af6b95e483ceaa65639c811e4c9f3b

SHA1
890e3964d9c176f39cab261f0cd940baef627b11

SHA256
a6ddc4bd3d22cf8f9adececeaa1121082a8142085edf489218a2ad6f3cc1c41d

SHA512
e976bf8b77910936aef3aaf3ad7ee69440bbd6f8d14fd4e01333e7642311a107710de0bd513deceb4194b6f78190f98c0f885739f5538351acaa9f585e4f1957

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.2MB

MD5
72458bc9f720f1940f17fd5551923a3b

SHA1
7c55114e57dd7f7ec9c632d9cd1e3feb40ba42bd

SHA256
e72f6eb9ea6018185007ba2a7207a690234a4cb694bd7f5e16531937af890434

SHA512
62264358398f15f01545eedfeffd74f25e9e0b537a5853276e711d205fe95b2d94710fe81e0cc6f3964f555107f1b561300321ad0bee86ea481deea1e43f27f2

Download Submit
memory/564-40-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/564-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/564-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/564-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/564-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/564-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/564-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/564-23-0x0000000002D80000-0x0000000002E94000-memory.dmp

Filesize
1.1MB

Download
memory/588-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1220-126-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1220-118-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1564-117-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1564-115-0x0000000002F80000-0x0000000003094000-memory.dmp

Filesize
1.1MB

Download
memory/1564-155-0x0000000002F80000-0x0000000003094000-memory.dmp

Filesize
1.1MB

Download
memory/1564-137-0x0000000002F80000-0x0000000003094000-memory.dmp

Filesize
1.1MB

Download
memory/1564-135-0x0000000002F80000-0x0000000003094000-memory.dmp

Filesize
1.1MB

Download
memory/1564-193-0x0000000002F80000-0x0000000003094000-memory.dmp

Filesize
1.1MB

Download
memory/1564-146-0x0000000002F80000-0x0000000003094000-memory.dmp

Filesize
1.1MB

Download
memory/1564-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1564-165-0x0000000002F80000-0x0000000003094000-memory.dmp

Filesize
1.1MB

Download
memory/2020-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-50-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-60-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-90-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-54-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-58-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2084-157-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2140-192-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2376-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2376-134-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2376-103-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2376-105-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2592-209-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2696-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2696-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2696-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2696-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2696-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2700-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-53-0x0000000002F00000-0x0000000003014000-memory.dmp

Filesize
1.1MB

Download
memory/2700-52-0x0000000002F00000-0x0000000003014000-memory.dmp

Filesize
1.1MB

Download
memory/3040-174-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download