Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 03:07
Behavioral task
behavioral1
Sample
6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe
Resource
win10v2004-20241007-en
General
-
Target
6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe
-
Size
8.9MB
-
MD5
cb0a94ed86ab20f37003888759ecedc0
-
SHA1
da5ea5cd54bc9af434760d7c4bd09a7b07de2d14
-
SHA256
6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2
-
SHA512
55b1720ebea1220eb0e91eae9bc14a6e47f2e9062db4fede95d9804fc3a7a70ea565b12f42e854c29368913c7ca0f758db4b2904634b657782b115d9fef2fb4f
-
SSDEEP
49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNecE:K1+8e8e8f8e8e89
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 3 IoCs
resource yara_rule behavioral2/files/0x000c000000023b87-19.dat warzonerat behavioral2/files/0x000b000000023b85-34.dat warzonerat behavioral2/files/0x00030000000221eb-49.dat warzonerat -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 1492 explorer.exe 3232 explorer.exe 4516 spoolsv.exe 4584 spoolsv.exe 4304 spoolsv.exe 836 spoolsv.exe 1204 spoolsv.exe 4052 spoolsv.exe 408 spoolsv.exe 4920 spoolsv.exe 4100 spoolsv.exe 3900 spoolsv.exe 5092 spoolsv.exe 4024 spoolsv.exe 4492 spoolsv.exe 620 spoolsv.exe 5116 spoolsv.exe 2208 spoolsv.exe 4184 spoolsv.exe 4532 spoolsv.exe 4360 spoolsv.exe 3496 spoolsv.exe 4496 spoolsv.exe 744 spoolsv.exe 3340 spoolsv.exe 2140 spoolsv.exe 2248 spoolsv.exe 1596 spoolsv.exe 3912 spoolsv.exe 4452 spoolsv.exe 448 spoolsv.exe 3836 spoolsv.exe 2920 spoolsv.exe 4868 spoolsv.exe 3008 spoolsv.exe 5024 spoolsv.exe 436 spoolsv.exe 1900 spoolsv.exe 4732 spoolsv.exe 2716 spoolsv.exe 1708 spoolsv.exe 2340 spoolsv.exe 3756 spoolsv.exe 1364 spoolsv.exe 364 spoolsv.exe 3424 spoolsv.exe 3144 spoolsv.exe 1992 spoolsv.exe 4212 spoolsv.exe 4952 spoolsv.exe 3380 spoolsv.exe 3580 spoolsv.exe 2764 spoolsv.exe 4288 spoolsv.exe 1216 spoolsv.exe 1068 spoolsv.exe 3076 spoolsv.exe 4572 spoolsv.exe 4900 spoolsv.exe 2636 spoolsv.exe 4248 spoolsv.exe 1464 spoolsv.exe 832 spoolsv.exe 2612 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3424 set thread context of 2892 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 98 PID 3424 set thread context of 4996 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 99 PID 1492 set thread context of 3232 1492 explorer.exe 101 PID 1492 set thread context of 2284 1492 explorer.exe 102 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2892 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 2892 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3232 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2892 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 2892 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe 3232 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3424 wrote to memory of 2892 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 98 PID 3424 wrote to memory of 2892 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 98 PID 3424 wrote to memory of 2892 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 98 PID 3424 wrote to memory of 2892 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 98 PID 3424 wrote to memory of 2892 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 98 PID 3424 wrote to memory of 2892 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 98 PID 3424 wrote to memory of 2892 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 98 PID 3424 wrote to memory of 2892 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 98 PID 3424 wrote to memory of 4996 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 99 PID 3424 wrote to memory of 4996 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 99 PID 3424 wrote to memory of 4996 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 99 PID 3424 wrote to memory of 4996 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 99 PID 3424 wrote to memory of 4996 3424 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 99 PID 2892 wrote to memory of 1492 2892 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 100 PID 2892 wrote to memory of 1492 2892 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 100 PID 2892 wrote to memory of 1492 2892 6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe 100 PID 1492 wrote to memory of 3232 1492 explorer.exe 101 PID 1492 wrote to memory of 3232 1492 explorer.exe 101 PID 1492 wrote to memory of 3232 1492 explorer.exe 101 PID 1492 wrote to memory of 3232 1492 explorer.exe 101 PID 1492 wrote to memory of 3232 1492 explorer.exe 101 PID 1492 wrote to memory of 3232 1492 explorer.exe 101 PID 1492 wrote to memory of 3232 1492 explorer.exe 101 PID 1492 wrote to memory of 3232 1492 explorer.exe 101 PID 1492 wrote to memory of 2284 1492 explorer.exe 102 PID 1492 wrote to memory of 2284 1492 explorer.exe 102 PID 1492 wrote to memory of 2284 1492 explorer.exe 102 PID 1492 wrote to memory of 2284 1492 explorer.exe 102 PID 1492 wrote to memory of 2284 1492 explorer.exe 102 PID 3232 wrote to memory of 4516 3232 explorer.exe 103 PID 3232 wrote to memory of 4516 3232 explorer.exe 103 PID 3232 wrote to memory of 4516 3232 explorer.exe 103 PID 3232 wrote to memory of 4584 3232 explorer.exe 104 PID 3232 wrote to memory of 4584 3232 explorer.exe 104 PID 3232 wrote to memory of 4584 3232 explorer.exe 104 PID 3232 wrote to memory of 4304 3232 explorer.exe 105 PID 3232 wrote to memory of 4304 3232 explorer.exe 105 PID 3232 wrote to memory of 4304 3232 explorer.exe 105 PID 3232 wrote to memory of 836 3232 explorer.exe 106 PID 3232 wrote to memory of 836 3232 explorer.exe 106 PID 3232 wrote to memory of 836 3232 explorer.exe 106 PID 3232 wrote to memory of 1204 3232 explorer.exe 107 PID 3232 wrote to memory of 1204 3232 explorer.exe 107 PID 3232 wrote to memory of 1204 3232 explorer.exe 107 PID 3232 wrote to memory of 4052 3232 explorer.exe 108 PID 3232 wrote to memory of 4052 3232 explorer.exe 108 PID 3232 wrote to memory of 4052 3232 explorer.exe 108 PID 3232 wrote to memory of 408 3232 explorer.exe 109 PID 3232 wrote to memory of 408 3232 explorer.exe 109 PID 3232 wrote to memory of 408 3232 explorer.exe 109 PID 3232 wrote to memory of 4920 3232 explorer.exe 110 PID 3232 wrote to memory of 4920 3232 explorer.exe 110 PID 3232 wrote to memory of 4920 3232 explorer.exe 110 PID 3232 wrote to memory of 4100 3232 explorer.exe 111 PID 3232 wrote to memory of 4100 3232 explorer.exe 111 PID 3232 wrote to memory of 4100 3232 explorer.exe 111 PID 3232 wrote to memory of 3900 3232 explorer.exe 112 PID 3232 wrote to memory of 3900 3232 explorer.exe 112 PID 3232 wrote to memory of 3900 3232 explorer.exe 112 PID 3232 wrote to memory of 5092 3232 explorer.exe 113 PID 3232 wrote to memory of 5092 3232 explorer.exe 113 PID 3232 wrote to memory of 5092 3232 explorer.exe 113 PID 3232 wrote to memory of 4024 3232 explorer.exe 114 PID 3232 wrote to memory of 4024 3232 explorer.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe"C:\Users\Admin\AppData\Local\Temp\6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe"C:\Users\Admin\AppData\Local\Temp\6d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2N.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4516
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4584
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1204
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4052
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4920
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4100
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3900
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5092
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4024
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4492
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:620
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:5116
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4184
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4532
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4360
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3496
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4496
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:744
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3340
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1596
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3912
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4452
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:448
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3836
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2920
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4868
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3008
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:436
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1900
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2340
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3756
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1364
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:364
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3144
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4212
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4952
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3380
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3580
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4288
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1216
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1068
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3076
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4572
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4900
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4248
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1464
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:316
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2908
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3284
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2292
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1492
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:4848
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:64
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2200
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:512
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:4968
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2420
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3592
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:3964
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:632
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4464
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1076
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2396
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3128
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2480
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1180
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2960
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:1176
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:4008
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2196
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2936
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4676
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3652
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4188
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5036
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1644
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:1620
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:1084
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3152
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2756
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2748
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:5104
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:540
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4200
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:3552
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2896
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1292
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3664
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1648
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:5124
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5140
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:5156
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:5176
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5192
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:5208
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5228
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5244
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5260
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5280
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:5296
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5312
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"4⤵PID:2284
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"2⤵PID:4996
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.9MB
MD5cb0a94ed86ab20f37003888759ecedc0
SHA1da5ea5cd54bc9af434760d7c4bd09a7b07de2d14
SHA2566d04d9a25ff9e50904896f1a7d0be42c39f65e5549969a67d599a74b3a25fdd2
SHA51255b1720ebea1220eb0e91eae9bc14a6e47f2e9062db4fede95d9804fc3a7a70ea565b12f42e854c29368913c7ca0f758db4b2904634b657782b115d9fef2fb4f
-
Filesize
8.9MB
MD5cad808ce07dd30c5d8f1920e61849bd8
SHA1c4ca89e4068d046e21db0e6a31f61d690d50e37b
SHA2560f37e7aca0306a8ab6d745452f3d034b424e8911f1a0e00b0b45416f63a968bb
SHA5122c40953e0525f3ddd5cecece2467940dc448198be76474753c9cd1972775696183e857c50b4bddc3fc0849d604832f2f234e15143179859de63e5f49200fadcb
-
Filesize
8.9MB
MD588cb2741d13e861d54820c0b9b13a17c
SHA1d8821f164d05aaddf8b16cc9b9a928be48d9f7c8
SHA2563c21d274ceb424cb3abe3cc6cfd7c360b57f7d250565ca89114cf2ec383f53e8
SHA512ff3be57f570e1ef76b64b45c9d095d2c8c50f274aa4a2dd131cc811326768d12d68d9a4f8a5d97fa2aa3ece3cc17fab168f995d500e682c60906e0a9b42e7e09