warzonerat | 710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290db

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
Size

8.9MB
MD5

7166f200a4c14758fb2f950cf755b910
SHA1

72a52a35cb848bfc6d9d94d2b462f82e595c2a7b
SHA256

710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290db
SHA512

cfff1daa7880fd67ef580238f0e05921c6638177a4aa14ec1e35a1f08e4d8df99b5d7f3367bd81f5e57193fd2e4de83a463f2fa8d09e7d066f7cf496217c3fc9
SSDEEP

49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNec+:K1+8e8e8f8e8e8X

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 16 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000018b28-35.dat	warzonerat
behavioral1/files/0x00080000000186b7-68.dat	warzonerat
behavioral1/files/0x0008000000018b50-81.dat	warzonerat
behavioral1/files/0x0008000000018b50-169.dat	warzonerat
behavioral1/files/0x0008000000018b50-173.dat	warzonerat
behavioral1/files/0x0008000000018b50-167.dat	warzonerat
behavioral1/files/0x0008000000018b50-179.dat	warzonerat
behavioral1/files/0x0008000000018b50-185.dat	warzonerat
behavioral1/files/0x0008000000018b50-177.dat	warzonerat
behavioral1/files/0x0008000000018b50-199.dat	warzonerat
behavioral1/files/0x0008000000018b50-207.dat	warzonerat
behavioral1/files/0x0008000000018b50-215.dat	warzonerat
behavioral1/files/0x0008000000018b50-225.dat	warzonerat
behavioral1/files/0x0008000000018b50-239.dat	warzonerat
behavioral1/files/0x0008000000018b50-247.dat	warzonerat
behavioral1/files/0x0008000000018b50-255.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 11 IoCs

pid	Process
2796	explorer.exe
2988	explorer.exe
1856	spoolsv.exe
2684	spoolsv.exe
1452	spoolsv.exe
1756	spoolsv.exe
2368	spoolsv.exe
2352	spoolsv.exe
384	spoolsv.exe
1292	spoolsv.exe
1556	spoolsv.exe

Loads dropped DLL 20 IoCs

pid	Process
2884	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
2884	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 set thread context of 2176	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	30
PID 2796 set thread context of 2988	2796	explorer.exe	32
PID 2796 set thread context of 2024	2796	explorer.exe	33

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2884	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2884	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
2884	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 wrote to memory of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 wrote to memory of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 wrote to memory of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 wrote to memory of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 wrote to memory of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 wrote to memory of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 wrote to memory of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 wrote to memory of 2884	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	29
PID 1344 wrote to memory of 2176	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	30
PID 1344 wrote to memory of 2176	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	30
PID 1344 wrote to memory of 2176	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	30
PID 1344 wrote to memory of 2176	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	30
PID 1344 wrote to memory of 2176	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	30
PID 1344 wrote to memory of 2176	1344	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	30
PID 2884 wrote to memory of 2796	2884	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	31
PID 2884 wrote to memory of 2796	2884	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	31
PID 2884 wrote to memory of 2796	2884	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	31
PID 2884 wrote to memory of 2796	2884	710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe	31
PID 2796 wrote to memory of 2988	2796	explorer.exe	32
PID 2796 wrote to memory of 2988	2796	explorer.exe	32
PID 2796 wrote to memory of 2988	2796	explorer.exe	32
PID 2796 wrote to memory of 2988	2796	explorer.exe	32
PID 2796 wrote to memory of 2988	2796	explorer.exe	32
PID 2796 wrote to memory of 2988	2796	explorer.exe	32
PID 2796 wrote to memory of 2988	2796	explorer.exe	32
PID 2796 wrote to memory of 2988	2796	explorer.exe	32
PID 2796 wrote to memory of 2988	2796	explorer.exe	32
PID 2796 wrote to memory of 2024	2796	explorer.exe	33
PID 2796 wrote to memory of 2024	2796	explorer.exe	33
PID 2796 wrote to memory of 2024	2796	explorer.exe	33
PID 2796 wrote to memory of 2024	2796	explorer.exe	33
PID 2796 wrote to memory of 2024	2796	explorer.exe	33
PID 2796 wrote to memory of 2024	2796	explorer.exe	33
PID 2988 wrote to memory of 1856	2988	explorer.exe	34
PID 2988 wrote to memory of 1856	2988	explorer.exe	34
PID 2988 wrote to memory of 1856	2988	explorer.exe	34
PID 2988 wrote to memory of 1856	2988	explorer.exe	34
PID 2988 wrote to memory of 2684	2988	explorer.exe	35
PID 2988 wrote to memory of 2684	2988	explorer.exe	35
PID 2988 wrote to memory of 2684	2988	explorer.exe	35
PID 2988 wrote to memory of 2684	2988	explorer.exe	35
PID 2988 wrote to memory of 1452	2988	explorer.exe	36
PID 2988 wrote to memory of 1452	2988	explorer.exe	36
PID 2988 wrote to memory of 1452	2988	explorer.exe	36
PID 2988 wrote to memory of 1452	2988	explorer.exe	36
PID 2988 wrote to memory of 1756	2988	explorer.exe	37
PID 2988 wrote to memory of 1756	2988	explorer.exe	37
PID 2988 wrote to memory of 1756	2988	explorer.exe	37
PID 2988 wrote to memory of 1756	2988	explorer.exe	37
PID 2988 wrote to memory of 2368	2988	explorer.exe	38
PID 2988 wrote to memory of 2368	2988	explorer.exe	38
PID 2988 wrote to memory of 2368	2988	explorer.exe	38
PID 2988 wrote to memory of 2368	2988	explorer.exe	38
PID 2988 wrote to memory of 2352	2988	explorer.exe	39
PID 2988 wrote to memory of 2352	2988	explorer.exe	39
PID 2988 wrote to memory of 2352	2988	explorer.exe	39
PID 2988 wrote to memory of 2352	2988	explorer.exe	39
PID 2988 wrote to memory of 384	2988	explorer.exe	40
PID 2988 wrote to memory of 384	2988	explorer.exe	40
PID 2988 wrote to memory of 384	2988	explorer.exe	40
PID 2988 wrote to memory of 384	2988	explorer.exe	40
PID 2988 wrote to memory of 1292	2988	explorer.exe	41
PID 2988 wrote to memory of 1292	2988	explorer.exe	41

C:\Users\Admin\AppData\Local\Temp\710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
"C:\Users\Admin\AppData\Local\Temp\710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe
  "C:\Users\Admin\AppData\Local\Temp\710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290dbN.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:2024
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.9MB

MD5
7166f200a4c14758fb2f950cf755b910

SHA1
72a52a35cb848bfc6d9d94d2b462f82e595c2a7b

SHA256
710458837fdf6074aff901da8624536ba35a5a86d81037f8f1e19fd0227290db

SHA512
cfff1daa7880fd67ef580238f0e05921c6638177a4aa14ec1e35a1f08e4d8df99b5d7f3367bd81f5e57193fd2e4de83a463f2fa8d09e7d066f7cf496217c3fc9

Download Submit
C:\Windows\system\explorer.exe

Filesize
8.9MB

MD5
4d737a8b8d5e269503e38c20084434bb

SHA1
44dd44b0daaa922530fdcd452a3d023584cf7d33

SHA256
628627ef70fc60bc8edbe10e9fba69cedce7121e3dd6a83221e8b6ab6a5169d4

SHA512
332e5719df746c803888198ce4dd143612ee2c4c95cb9f05aebfc2aee73585d04a843219250bb6af12d4f4a042d3170757c4365e30a3ff72fbdd6e9a2e5f22be

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
5.0MB

MD5
e90d736251ea5179cc5c0311335c63da

SHA1
21c3843fdb4ef953f4c669f40694f6c4e9e8b375

SHA256
e2357c13f8fa358df255c94bd13bb20f0230eda9a957ec1fceecb0cb4a496693

SHA512
1c075a936d8086537d31d1d0d5c683d60847fb2efaf86a1aab8d3e9c3aa10dba0d447999552b2cf713281a967ed1f6ef4133b8f1f13536cc6053a32264cad135

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
2.6MB

MD5
eb58cfc0cc201fd6ba52387b2f38492f

SHA1
54ac6add0954662b90dbf8d68ba2a5da21b605ad

SHA256
3fd89dc7c1773fc91450cd87b479049f49f9df1378143b02a3f6baf4b5747fd3

SHA512
14d7ac286d4d34a9aee119c4845fd68b33a0c0f183067d0b06ee96254b1c66b15a671c2d6fb31ec17fa231507b703f6094812f2d652bdf60afcbd8b71dd4ce3d

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
2.8MB

MD5
b366589928f2fc15ae4f360d31d57302

SHA1
701d152dfeabd826976965a24e72996526175108

SHA256
e93abace50ffea107e576fc7256e2985e56215a7ee314b1d8218f4b098bd54cb

SHA512
00f1161d6cc75595201c02b813660ed5433baeb0d4f6db294c7beb588606fce8b43e946ba416c631957f7c7d93d1d29845c521c3a8c568c06b89ae513913cf80

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
2.3MB

MD5
8691f040eccb2c4e0cf04af6520d6338

SHA1
2352f6b693f3c589a822b7061b681b888e8bfd17

SHA256
dc3918812084ff39ae1e8a4f469ab37c861ea06fd6db5d7c704390a92231deb0

SHA512
f6aaeb45622ad79cb2920954c50d7f5fcaf7e642b8c7373c3701c12960e04f593dc80957b6dfaad4110868f52ba5e110dcdd6b8a8860880b3cc276d9a6718acd

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
2.2MB

MD5
24c3439bc68db83f8d46edbef4f9dcae

SHA1
e0b03819047a10470d32bdcf64afc1633bccc78c

SHA256
399c5f1b86c5396d713ee750c6f8e85660c5d47590e751c9e31b6dc0e17bb041

SHA512
ab629c5b75e9a0ea8acfccb0dafc362fead12ab509d53d872a06bab9db007208e952637b1c2bdaeaba8ccef8fc67b152e10f71e2a11a93aa76a9fde3f9d93d7c

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.9MB

MD5
0fd4821d588e7d46c4b7fea9b6e709ba

SHA1
8f7d5eff458c76a9c97023ce8009260468170aba

SHA256
6a02026ebd25ff65d769295d4153cd87dedf06c7fed5025a2bd9e67d6d0bac4a

SHA512
1a7d09eecacf556677689e9b57ea78aa406e9828718770a34604bd5a1dd8f832a34798321ad33d37894247f7aa948cbfbee7fe0140e8c2c01e5348d96c4d3f8a

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
2.1MB

MD5
e2572f7a80c937fa0de61d912b68ceaa

SHA1
df7b4099285f3cc1e4313f1186d84abdbc52f740

SHA256
4cbc7291586fc761950165f0517a720e1446fd5ebf3b012bc4c434dee8b4668d

SHA512
35c7545a70aa1be7eacb1935c7d847dc5c89b118bcce7d84dbe378d5916f50b4272fca3c43267595dc25bbb0ccb939bb5616c0349d2193b5d8e0d04337b332b9

Download Submit
\Windows\system\spoolsv.exe

Filesize
5.4MB

MD5
26df77197a412502b98f5aa64d803a09

SHA1
8b57a76aaa8749bb692f1bef344db5631e555370

SHA256
edf0dc08a327e650ed09bd2664244d7c835519dc0f03a816fc06690de6f323a6

SHA512
0a93eff6cdfa48e34fe95a30a5075b7c7715af44ba1d48eb2777db147e66c6dbf00c7b1c5c2223bde4a30972867e5c2ad77279553888e5b5b1ba0b69533db808

Download Submit
\Windows\system\spoolsv.exe

Filesize
5.1MB

MD5
c49367db2601e5f80a5f73951bce7b0c

SHA1
9bfe12fa729ff9bf81bcc4b07a7bc01e93d8c727

SHA256
eecb352c9b2ff59443122a13cd5aff75996dbbfed1b4a6ee9b56cfe0185eb6b2

SHA512
86ef2b4c56be6dad00e45c4142c5ac58ee9b003ab4308ba2eddee3e21d2ac6e33c4b1729a23251097374ec6f2e32dc3473952fcdb7a8daf01fd6702bcd3ac834

Download Submit
\Windows\system\spoolsv.exe

Filesize
3.9MB

MD5
b246ed317ca86f56f07d4f3517867a38

SHA1
e8a26d72d528c3e64d2e253dac7db576c85af0b4

SHA256
7744388981ab640394452f994479be1aeef3a414b7c99024f4833a02936f3e74

SHA512
4114ce817cfff3ba9ccc8f94bf04584c2436d39e0f37967993acae3699528a17206a893f91040464ff1458fea1268cf789b3dc4ac80f25bf91ae8321d454229b

Download Submit
\Windows\system\spoolsv.exe

Filesize
3.8MB

MD5
917aaaa399613add56ea61ca0a963e51

SHA1
fdb7e43c9b58fd031bb5c59871fdc9164b67d720

SHA256
97eb1b2577f86dea1f720d96fc1f00700c61fb3b48ed747b6785ca4319ff2de3

SHA512
e7f6c508a1c2e27a84312164bb9a2a201360b662c33a314f19315d39bb1a0fa1f9ed79c1be6c7237dcf4e05b3402be11e07ffb466e5fe02a0265eba5c3072481

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.1MB

MD5
9c38b44e55c8f247cfb82cb779f2da64

SHA1
3540aed9beadcbb6d0de34737ea053e38d481e9b

SHA256
65b4516e81b9550a9715bb4cbdc44dc17601a86e89eae9acc278f00bcb068c52

SHA512
f6297c7446018694587f12b1153f435027aeb7dbd905182ad432fbfcc7bd452ccb163c67addfa938c0e0c86fe3d1679008cbc7a60f47a767d5d3250eeab13554

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.1MB

MD5
21b202b62b621632fa88d18314a63dd6

SHA1
9cae0fb941988ea2161466ffd92df596196278d8

SHA256
054ba42f02dd603e56a60ff4cab834b378a75342c05a7e799aa596028df6f1bf

SHA512
e40b510c8b8ede01c9b050cfafc70f58a764301141c35b66b527501839a239c1715eb9b5a5c6042eb14a251608a354ab3fb99e9c780b4242f8a07572383185e4

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.9MB

MD5
1d3d07dbfb540369f21af75d8e705e8d

SHA1
276d8dadf96fd1f2dc616f531d7807c7f1141de9

SHA256
b108ba83958fccfe04992db01edff58e353ec6d6e85d6a1227f6192b19eb14f2

SHA512
85d3a18d7531944ce4e64fe50a87fd1e1e28153732547b268e041d46159ea5225dd97b44cefa27788a507fa8093c7c0ea45894a90627b266fc4c1a1cb0366101

Download Submit
memory/384-155-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1344-19-0x0000000002F70000-0x0000000003085000-memory.dmp

Filesize
1.1MB

Download
memory/1344-2-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1344-0-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1344-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1344-31-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1344-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1452-143-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1452-111-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1556-175-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1756-121-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1856-89-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2024-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2176-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2176-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2176-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2176-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2176-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2352-140-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2368-144-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2684-139-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2796-75-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2796-45-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2796-46-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2796-50-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2884-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-43-0x0000000002F70000-0x0000000003085000-memory.dmp

Filesize
1.1MB

Download
memory/2884-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-42-0x0000000002F70000-0x0000000003085000-memory.dmp

Filesize
1.1MB

Download
memory/2884-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-130-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download
memory/2988-153-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download
memory/2988-120-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download
memory/2988-110-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download
memory/2988-99-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download
memory/2988-88-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download
memory/2988-141-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download
memory/2988-174-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download
memory/2988-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-163-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download
memory/2988-154-0x0000000002E20000-0x0000000002F35000-memory.dmp

Filesize
1.1MB

Download