warzonerat | 3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95

Analysis

max time kernel
137s
max time network
8s
platform
windows7_x64
resource
win7v200430
submitted
25-06-2020 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
Size

1.8MB
MD5

eb7aa7c1460bcdef08b202e20cc8c474
SHA1

2826e616df002bd1c3b114c864482f2e30a115d0
SHA256

3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95
SHA512

d11dbbd1147bc6f96614eab2ca2654eaec4fb967e60fa68b9734086d30c6b3da15e4ec377ee63c4bbce2438b37ff865e631d420ddb5345152de6820b70e38682

Score

10^/10

rat infostealer warzonerat persistence evasion

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 260 IoCs

rat

resource	yara_rule
behavioral1/files/0x00040000000131ad-11.dat	warzonerat
behavioral1/files/0x00040000000131ad-13.dat	warzonerat
behavioral1/files/0x00040000000131ad-16.dat	warzonerat
behavioral1/files/0x00040000000131ad-19.dat	warzonerat
behavioral1/files/0x00040000000131ad-22.dat	warzonerat
behavioral1/files/0x00040000000131a8-23.dat	warzonerat
behavioral1/files/0x00050000000131ab-24.dat	warzonerat
behavioral1/files/0x00050000000131ac-32.dat	warzonerat
behavioral1/files/0x00050000000131ac-33.dat	warzonerat
behavioral1/files/0x00050000000131ac-35.dat	warzonerat
behavioral1/files/0x00050000000131ac-40.dat	warzonerat
behavioral1/files/0x00050000000131ac-42.dat	warzonerat
behavioral1/files/0x00050000000131ac-45.dat	warzonerat
behavioral1/files/0x00050000000131ac-48.dat	warzonerat
behavioral1/files/0x00050000000131ac-50.dat	warzonerat
behavioral1/files/0x00050000000131ac-53.dat	warzonerat
behavioral1/files/0x00050000000131ac-56.dat	warzonerat
behavioral1/files/0x00050000000131ac-58.dat	warzonerat
behavioral1/files/0x00050000000131ac-61.dat	warzonerat
behavioral1/files/0x00050000000131ac-64.dat	warzonerat
behavioral1/files/0x00050000000131ac-66.dat	warzonerat
behavioral1/files/0x00050000000131ac-69.dat	warzonerat
behavioral1/files/0x00050000000131ac-72.dat	warzonerat
behavioral1/files/0x00050000000131ac-74.dat	warzonerat
behavioral1/files/0x00050000000131ac-77.dat	warzonerat
behavioral1/files/0x00050000000131ac-80.dat	warzonerat
behavioral1/files/0x00050000000131ac-82.dat	warzonerat
behavioral1/files/0x00050000000131ac-85.dat	warzonerat
behavioral1/files/0x00050000000131ac-88.dat	warzonerat
behavioral1/files/0x00050000000131ac-90.dat	warzonerat
behavioral1/files/0x00050000000131ac-93.dat	warzonerat
behavioral1/files/0x00050000000131ac-96.dat	warzonerat
behavioral1/files/0x00050000000131ac-98.dat	warzonerat
behavioral1/files/0x00050000000131ac-101.dat	warzonerat
behavioral1/files/0x00050000000131ac-104.dat	warzonerat
behavioral1/files/0x00050000000131ac-106.dat	warzonerat
behavioral1/files/0x00050000000131ac-109.dat	warzonerat
behavioral1/files/0x00050000000131ac-112.dat	warzonerat
behavioral1/files/0x00050000000131ac-114.dat	warzonerat
behavioral1/files/0x00050000000131ac-117.dat	warzonerat
behavioral1/files/0x00050000000131ac-120.dat	warzonerat
behavioral1/files/0x00050000000131ac-122.dat	warzonerat
behavioral1/files/0x00050000000131ac-125.dat	warzonerat
behavioral1/files/0x00050000000131ac-128.dat	warzonerat
behavioral1/files/0x00050000000131ac-130.dat	warzonerat
behavioral1/files/0x00050000000131ac-133.dat	warzonerat
behavioral1/files/0x00050000000131ac-136.dat	warzonerat
behavioral1/files/0x00050000000131ac-138.dat	warzonerat
behavioral1/files/0x00050000000131ac-141.dat	warzonerat
behavioral1/files/0x00050000000131ac-144.dat	warzonerat
behavioral1/files/0x00050000000131ac-146.dat	warzonerat
behavioral1/files/0x00050000000131ac-149.dat	warzonerat
behavioral1/files/0x00050000000131ac-152.dat	warzonerat
behavioral1/files/0x00050000000131ac-154.dat	warzonerat
behavioral1/files/0x00050000000131ac-157.dat	warzonerat
behavioral1/files/0x00050000000131ac-160.dat	warzonerat
behavioral1/files/0x00050000000131ac-162.dat	warzonerat
behavioral1/files/0x00050000000131ac-165.dat	warzonerat
behavioral1/files/0x00050000000131ac-168.dat	warzonerat
behavioral1/files/0x00050000000131ac-170.dat	warzonerat
behavioral1/files/0x00050000000131ac-173.dat	warzonerat
behavioral1/files/0x00050000000131ac-176.dat	warzonerat
behavioral1/files/0x00050000000131ac-178.dat	warzonerat
behavioral1/files/0x00050000000131ac-181.dat	warzonerat
behavioral1/files/0x00050000000131ac-184.dat	warzonerat
behavioral1/files/0x00050000000131ac-186.dat	warzonerat
behavioral1/files/0x00050000000131ac-189.dat	warzonerat
behavioral1/files/0x00050000000131ac-192.dat	warzonerat
behavioral1/files/0x00050000000131ac-194.dat	warzonerat
behavioral1/files/0x00050000000131ac-197.dat	warzonerat
behavioral1/files/0x00050000000131ac-200.dat	warzonerat
behavioral1/files/0x00050000000131ac-202.dat	warzonerat
behavioral1/files/0x00050000000131ac-205.dat	warzonerat
behavioral1/files/0x00050000000131ac-208.dat	warzonerat
behavioral1/files/0x00050000000131ac-210.dat	warzonerat
behavioral1/files/0x00050000000131ac-213.dat	warzonerat
behavioral1/files/0x00050000000131ac-216.dat	warzonerat
behavioral1/files/0x00050000000131ac-218.dat	warzonerat
behavioral1/files/0x00050000000131ac-221.dat	warzonerat
behavioral1/files/0x00050000000131ac-224.dat	warzonerat
behavioral1/files/0x00050000000131ac-226.dat	warzonerat
behavioral1/files/0x00050000000131ac-229.dat	warzonerat
behavioral1/files/0x00050000000131ac-232.dat	warzonerat
behavioral1/files/0x00050000000131ac-234.dat	warzonerat
behavioral1/files/0x00050000000131ac-237.dat	warzonerat
behavioral1/files/0x00050000000131ac-240.dat	warzonerat
behavioral1/files/0x00050000000131ac-242.dat	warzonerat
behavioral1/files/0x00050000000131ac-245.dat	warzonerat
behavioral1/files/0x00050000000131ac-248.dat	warzonerat
behavioral1/files/0x00050000000131ac-250.dat	warzonerat
behavioral1/files/0x00050000000131ac-253.dat	warzonerat
behavioral1/files/0x00050000000131ac-256.dat	warzonerat
behavioral1/files/0x00050000000131ac-258.dat	warzonerat
behavioral1/files/0x00050000000131ac-261.dat	warzonerat
behavioral1/files/0x00050000000131ac-264.dat	warzonerat
behavioral1/files/0x00050000000131ac-266.dat	warzonerat
behavioral1/files/0x00050000000131ac-269.dat	warzonerat
behavioral1/files/0x00050000000131ac-272.dat	warzonerat
behavioral1/files/0x00050000000131ac-274.dat	warzonerat
behavioral1/files/0x00050000000131ac-277.dat	warzonerat
behavioral1/files/0x00050000000131ac-280.dat	warzonerat
behavioral1/files/0x00050000000131ac-282.dat	warzonerat
behavioral1/files/0x00050000000131ac-285.dat	warzonerat
behavioral1/files/0x00050000000131ac-288.dat	warzonerat
behavioral1/files/0x00050000000131ac-290.dat	warzonerat
behavioral1/files/0x00050000000131ac-293.dat	warzonerat
behavioral1/files/0x00050000000131ac-296.dat	warzonerat
behavioral1/files/0x00050000000131ac-298.dat	warzonerat
behavioral1/files/0x00050000000131ac-301.dat	warzonerat
behavioral1/files/0x00050000000131ac-304.dat	warzonerat
behavioral1/files/0x00050000000131ac-306.dat	warzonerat
behavioral1/files/0x00050000000131ac-309.dat	warzonerat
behavioral1/files/0x00050000000131ac-312.dat	warzonerat
behavioral1/files/0x00050000000131ac-314.dat	warzonerat
behavioral1/files/0x00050000000131ac-317.dat	warzonerat
behavioral1/files/0x00050000000131ac-320.dat	warzonerat
behavioral1/files/0x00050000000131ac-322.dat	warzonerat
behavioral1/files/0x00050000000131ac-325.dat	warzonerat
behavioral1/files/0x00050000000131ac-328.dat	warzonerat
behavioral1/files/0x00050000000131ac-330.dat	warzonerat
behavioral1/files/0x00050000000131ac-333.dat	warzonerat
behavioral1/files/0x00050000000131ac-336.dat	warzonerat
behavioral1/files/0x00050000000131ac-338.dat	warzonerat
behavioral1/files/0x00050000000131ac-341.dat	warzonerat
behavioral1/files/0x00050000000131ac-344.dat	warzonerat
behavioral1/files/0x00050000000131ac-346.dat	warzonerat
behavioral1/files/0x00050000000131ac-349.dat	warzonerat
behavioral1/files/0x00050000000131ac-352.dat	warzonerat
behavioral1/files/0x00050000000131ac-354.dat	warzonerat
behavioral1/files/0x00050000000131ac-357.dat	warzonerat
behavioral1/files/0x00050000000131ac-360.dat	warzonerat
behavioral1/files/0x00050000000131ac-362.dat	warzonerat
behavioral1/files/0x00050000000131ac-365.dat	warzonerat
behavioral1/files/0x00050000000131ac-368.dat	warzonerat
behavioral1/files/0x00050000000131ac-370.dat	warzonerat
behavioral1/files/0x00050000000131ac-373.dat	warzonerat
behavioral1/files/0x00050000000131ac-376.dat	warzonerat
behavioral1/files/0x00050000000131ac-378.dat	warzonerat
behavioral1/files/0x00050000000131ac-381.dat	warzonerat
behavioral1/files/0x00050000000131ac-384.dat	warzonerat
behavioral1/files/0x00050000000131ac-386.dat	warzonerat
behavioral1/files/0x00050000000131ac-389.dat	warzonerat
behavioral1/files/0x00050000000131ac-392.dat	warzonerat
behavioral1/files/0x00050000000131ac-394.dat	warzonerat
behavioral1/files/0x00050000000131ac-397.dat	warzonerat
behavioral1/files/0x00050000000131ac-400.dat	warzonerat
behavioral1/files/0x00050000000131ac-402.dat	warzonerat
behavioral1/files/0x00050000000131ac-405.dat	warzonerat
behavioral1/files/0x00050000000131ac-408.dat	warzonerat
behavioral1/files/0x00050000000131ac-410.dat	warzonerat
behavioral1/files/0x00050000000131ac-413.dat	warzonerat
behavioral1/files/0x00050000000131ac-416.dat	warzonerat
behavioral1/files/0x00050000000131ac-418.dat	warzonerat
behavioral1/files/0x00050000000131ac-421.dat	warzonerat
behavioral1/files/0x00050000000131ac-424.dat	warzonerat
behavioral1/files/0x00050000000131ac-426.dat	warzonerat
behavioral1/files/0x00050000000131ac-429.dat	warzonerat
behavioral1/files/0x00050000000131ac-432.dat	warzonerat
behavioral1/files/0x00050000000131ac-434.dat	warzonerat
behavioral1/files/0x00050000000131ac-437.dat	warzonerat
behavioral1/files/0x00050000000131ac-440.dat	warzonerat
behavioral1/files/0x00050000000131ac-442.dat	warzonerat
behavioral1/files/0x00050000000131ac-445.dat	warzonerat
behavioral1/files/0x00050000000131ac-448.dat	warzonerat
behavioral1/files/0x00050000000131ac-450.dat	warzonerat
behavioral1/files/0x00050000000131ac-453.dat	warzonerat
behavioral1/files/0x00050000000131ac-456.dat	warzonerat
behavioral1/files/0x00050000000131ac-458.dat	warzonerat
behavioral1/files/0x00050000000131ac-461.dat	warzonerat
behavioral1/files/0x00050000000131ac-464.dat	warzonerat
behavioral1/files/0x00050000000131ac-466.dat	warzonerat
behavioral1/files/0x00050000000131ac-469.dat	warzonerat
behavioral1/files/0x00050000000131ac-472.dat	warzonerat
behavioral1/files/0x00050000000131ac-474.dat	warzonerat
behavioral1/files/0x00050000000131ac-477.dat	warzonerat
behavioral1/files/0x00050000000131ac-480.dat	warzonerat
behavioral1/files/0x00050000000131ac-482.dat	warzonerat
behavioral1/files/0x00050000000131ac-485.dat	warzonerat
behavioral1/files/0x00050000000131ac-488.dat	warzonerat
behavioral1/files/0x00050000000131ac-490.dat	warzonerat
behavioral1/files/0x00050000000131ac-493.dat	warzonerat
behavioral1/files/0x00050000000131ac-496.dat	warzonerat
behavioral1/files/0x00050000000131ac-498.dat	warzonerat
behavioral1/files/0x00050000000131ac-501.dat	warzonerat
behavioral1/files/0x00050000000131ac-504.dat	warzonerat
behavioral1/files/0x00050000000131ac-506.dat	warzonerat
behavioral1/files/0x00050000000131ac-509.dat	warzonerat
behavioral1/files/0x00050000000131ac-512.dat	warzonerat
behavioral1/files/0x00050000000131ac-514.dat	warzonerat
behavioral1/files/0x00050000000131ac-517.dat	warzonerat
behavioral1/files/0x00050000000131ac-520.dat	warzonerat
behavioral1/files/0x00050000000131ac-522.dat	warzonerat
behavioral1/files/0x00050000000131ac-525.dat	warzonerat
behavioral1/files/0x00050000000131ac-528.dat	warzonerat
behavioral1/files/0x00050000000131ac-530.dat	warzonerat
behavioral1/files/0x00050000000131ac-533.dat	warzonerat
behavioral1/files/0x00050000000131ac-536.dat	warzonerat
behavioral1/files/0x00050000000131ac-538.dat	warzonerat
behavioral1/files/0x00050000000131ac-541.dat	warzonerat
behavioral1/files/0x00050000000131ac-544.dat	warzonerat
behavioral1/files/0x00050000000131ac-546.dat	warzonerat
behavioral1/files/0x00050000000131ac-549.dat	warzonerat
behavioral1/files/0x00050000000131ac-552.dat	warzonerat
behavioral1/files/0x00050000000131ac-554.dat	warzonerat
behavioral1/files/0x00050000000131ac-557.dat	warzonerat
behavioral1/files/0x00050000000131ac-560.dat	warzonerat
behavioral1/files/0x00050000000131ac-562.dat	warzonerat
behavioral1/files/0x00050000000131ac-565.dat	warzonerat
behavioral1/files/0x00050000000131ac-568.dat	warzonerat
behavioral1/files/0x00050000000131ac-570.dat	warzonerat
behavioral1/files/0x00050000000131ac-573.dat	warzonerat
behavioral1/files/0x00050000000131ac-576.dat	warzonerat
behavioral1/files/0x00050000000131ac-578.dat	warzonerat
behavioral1/files/0x00050000000131ac-581.dat	warzonerat
behavioral1/files/0x00050000000131ac-584.dat	warzonerat
behavioral1/files/0x00050000000131ac-586.dat	warzonerat
behavioral1/files/0x00050000000131ac-589.dat	warzonerat
behavioral1/files/0x00050000000131ac-592.dat	warzonerat
behavioral1/files/0x00050000000131ac-594.dat	warzonerat
behavioral1/files/0x00050000000131ac-597.dat	warzonerat
behavioral1/files/0x00050000000131ac-600.dat	warzonerat
behavioral1/files/0x00050000000131ac-602.dat	warzonerat
behavioral1/files/0x00050000000131ac-605.dat	warzonerat
behavioral1/files/0x00050000000131ac-608.dat	warzonerat
behavioral1/files/0x00050000000131ac-610.dat	warzonerat
behavioral1/files/0x00050000000131ac-613.dat	warzonerat
behavioral1/files/0x00050000000131ac-616.dat	warzonerat
behavioral1/files/0x00050000000131ac-618.dat	warzonerat
behavioral1/files/0x00050000000131ac-621.dat	warzonerat
behavioral1/files/0x00050000000131ac-624.dat	warzonerat
behavioral1/files/0x00050000000131ac-626.dat	warzonerat
behavioral1/files/0x00050000000131ac-629.dat	warzonerat
behavioral1/files/0x00050000000131ac-632.dat	warzonerat
behavioral1/files/0x00050000000131ac-634.dat	warzonerat
behavioral1/files/0x00050000000131ac-637.dat	warzonerat
behavioral1/files/0x00050000000131ac-640.dat	warzonerat
behavioral1/files/0x00050000000131ac-642.dat	warzonerat
behavioral1/files/0x00050000000131ac-645.dat	warzonerat
behavioral1/files/0x00050000000131ac-648.dat	warzonerat
behavioral1/files/0x00050000000131ac-650.dat	warzonerat
behavioral1/files/0x00050000000131ac-653.dat	warzonerat
behavioral1/files/0x00050000000131ac-656.dat	warzonerat
behavioral1/files/0x00050000000131ac-658.dat	warzonerat
behavioral1/files/0x00050000000131ac-661.dat	warzonerat
behavioral1/files/0x00050000000131ac-664.dat	warzonerat
behavioral1/files/0x00050000000131ac-666.dat	warzonerat
behavioral1/files/0x00050000000131ac-669.dat	warzonerat
behavioral1/files/0x00050000000131ac-672.dat	warzonerat
behavioral1/files/0x00050000000131ac-674.dat	warzonerat
behavioral1/files/0x00050000000131ac-677.dat	warzonerat
behavioral1/files/0x00050000000131ac-680.dat	warzonerat
behavioral1/files/0x00050000000131ac-682.dat	warzonerat
behavioral1/files/0x00050000000131ac-685.dat	warzonerat
behavioral1/files/0x00050000000131ac-688.dat	warzonerat
behavioral1/files/0x00050000000131ac-690.dat	warzonerat
behavioral1/files/0x00050000000131ac-691.dat	warzonerat
behavioral1/files/0x00050000000131ac-693.dat	warzonerat
behavioral1/files/0x00050000000131ac-697.dat	warzonerat
behavioral1/files/0x00050000000131ac-699.dat	warzonerat
behavioral1/files/0x00050000000131ac-707.dat	warzonerat

Executes dropped EXE 86 IoCs

pid	Process
1724	explorer.exe
268	explorer.exe
812	spoolsv.exe
1592	spoolsv.exe
1544	spoolsv.exe
1880	spoolsv.exe
1976	spoolsv.exe
2040	spoolsv.exe
2016	spoolsv.exe
1484	spoolsv.exe
1416	spoolsv.exe
1852	spoolsv.exe
1216	spoolsv.exe
1672	spoolsv.exe
1508	spoolsv.exe
1768	spoolsv.exe
924	spoolsv.exe
1848	spoolsv.exe
1312	spoolsv.exe
1872	spoolsv.exe
1628	spoolsv.exe
1900	spoolsv.exe
1996	spoolsv.exe
1180	spoolsv.exe
1664	spoolsv.exe
1556	spoolsv.exe
424	spoolsv.exe
296	spoolsv.exe
1316	spoolsv.exe
1776	spoolsv.exe
1428	spoolsv.exe
1044	spoolsv.exe
1308	spoolsv.exe
1576	spoolsv.exe
1464	spoolsv.exe
1964	spoolsv.exe
896	spoolsv.exe
1492	spoolsv.exe
1404	spoolsv.exe
860	spoolsv.exe
1820	spoolsv.exe
1764	spoolsv.exe
1528	spoolsv.exe
1320	spoolsv.exe
1572	spoolsv.exe
1936	spoolsv.exe
1148	spoolsv.exe
1552	spoolsv.exe
1104	spoolsv.exe
1496	spoolsv.exe
1828	spoolsv.exe
1932	spoolsv.exe
856	spoolsv.exe
1928	spoolsv.exe
2036	spoolsv.exe
1124	spoolsv.exe
1748	spoolsv.exe
1788	spoolsv.exe
600	spoolsv.exe
1620	spoolsv.exe
1948	spoolsv.exe
824	spoolsv.exe
764	spoolsv.exe
1832	spoolsv.exe
1020	spoolsv.exe
1584	spoolsv.exe
1736	spoolsv.exe
1668	spoolsv.exe
1724	spoolsv.exe
300	spoolsv.exe
1760	spoolsv.exe
1092	spoolsv.exe
1296	spoolsv.exe
968	spoolsv.exe
1568	spoolsv.exe
1204	spoolsv.exe
2072	spoolsv.exe
2112	spoolsv.exe
2152	spoolsv.exe
2192	spoolsv.exe
2232	spoolsv.exe
2272	spoolsv.exe
2312	spoolsv.exe
2352	spoolsv.exe
2416	spoolsv.exe
2392	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 171 IoCs

pid	Process
1360	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
1360	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
812	spoolsv.exe
268	explorer.exe
1592	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 set thread context of 1800	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	27
PID 1724 set thread context of 268	1724	explorer.exe	29
PID 1724 set thread context of 1304	1724	explorer.exe	30
PID 812 set thread context of 2416	812	spoolsv.exe	116
PID 812 set thread context of 2456	812	spoolsv.exe	117
PID 1592 set thread context of 2508	1592	spoolsv.exe	119

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 85 IoCs

pid	Process
1360	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1360	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
1360	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
2416	spoolsv.exe

Suspicious use of WriteProcessMemory 390 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 wrote to memory of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 wrote to memory of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 wrote to memory of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 wrote to memory of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 wrote to memory of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 wrote to memory of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 wrote to memory of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 wrote to memory of 1360	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	26
PID 1508 wrote to memory of 1800	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	27
PID 1508 wrote to memory of 1800	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	27
PID 1508 wrote to memory of 1800	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	27
PID 1508 wrote to memory of 1800	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	27
PID 1508 wrote to memory of 1800	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	27
PID 1508 wrote to memory of 1800	1508	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	27
PID 1360 wrote to memory of 1724	1360	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	28
PID 1360 wrote to memory of 1724	1360	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	28
PID 1360 wrote to memory of 1724	1360	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	28
PID 1360 wrote to memory of 1724	1360	3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe	28
PID 1724 wrote to memory of 268	1724	explorer.exe	29
PID 1724 wrote to memory of 268	1724	explorer.exe	29
PID 1724 wrote to memory of 268	1724	explorer.exe	29
PID 1724 wrote to memory of 268	1724	explorer.exe	29
PID 1724 wrote to memory of 268	1724	explorer.exe	29
PID 1724 wrote to memory of 268	1724	explorer.exe	29
PID 1724 wrote to memory of 268	1724	explorer.exe	29
PID 1724 wrote to memory of 268	1724	explorer.exe	29
PID 1724 wrote to memory of 268	1724	explorer.exe	29
PID 1724 wrote to memory of 1304	1724	explorer.exe	30
PID 1724 wrote to memory of 1304	1724	explorer.exe	30
PID 1724 wrote to memory of 1304	1724	explorer.exe	30
PID 1724 wrote to memory of 1304	1724	explorer.exe	30
PID 1724 wrote to memory of 1304	1724	explorer.exe	30
PID 1724 wrote to memory of 1304	1724	explorer.exe	30
PID 268 wrote to memory of 812	268	explorer.exe	31
PID 268 wrote to memory of 812	268	explorer.exe	31
PID 268 wrote to memory of 812	268	explorer.exe	31
PID 268 wrote to memory of 812	268	explorer.exe	31
PID 268 wrote to memory of 1592	268	explorer.exe	32
PID 268 wrote to memory of 1592	268	explorer.exe	32
PID 268 wrote to memory of 1592	268	explorer.exe	32
PID 268 wrote to memory of 1592	268	explorer.exe	32
PID 268 wrote to memory of 1544	268	explorer.exe	33
PID 268 wrote to memory of 1544	268	explorer.exe	33
PID 268 wrote to memory of 1544	268	explorer.exe	33
PID 268 wrote to memory of 1544	268	explorer.exe	33
PID 268 wrote to memory of 1880	268	explorer.exe	34
PID 268 wrote to memory of 1880	268	explorer.exe	34
PID 268 wrote to memory of 1880	268	explorer.exe	34
PID 268 wrote to memory of 1880	268	explorer.exe	34
PID 268 wrote to memory of 1976	268	explorer.exe	35
PID 268 wrote to memory of 1976	268	explorer.exe	35
PID 268 wrote to memory of 1976	268	explorer.exe	35
PID 268 wrote to memory of 1976	268	explorer.exe	35
PID 268 wrote to memory of 2040	268	explorer.exe	36
PID 268 wrote to memory of 2040	268	explorer.exe	36
PID 268 wrote to memory of 2040	268	explorer.exe	36
PID 268 wrote to memory of 2040	268	explorer.exe	36
PID 268 wrote to memory of 2016	268	explorer.exe	37
PID 268 wrote to memory of 2016	268	explorer.exe	37
PID 268 wrote to memory of 2016	268	explorer.exe	37
PID 268 wrote to memory of 2016	268	explorer.exe	37
PID 268 wrote to memory of 1484	268	explorer.exe	38
PID 268 wrote to memory of 1484	268	explorer.exe	38
PID 268 wrote to memory of 1484	268	explorer.exe	38
PID 268 wrote to memory of 1484	268	explorer.exe	38
PID 268 wrote to memory of 1416	268	explorer.exe	39
PID 268 wrote to memory of 1416	268	explorer.exe	39
PID 268 wrote to memory of 1416	268	explorer.exe	39
PID 268 wrote to memory of 1416	268	explorer.exe	39
PID 268 wrote to memory of 1852	268	explorer.exe	40
PID 268 wrote to memory of 1852	268	explorer.exe	40
PID 268 wrote to memory of 1852	268	explorer.exe	40
PID 268 wrote to memory of 1852	268	explorer.exe	40
PID 268 wrote to memory of 1216	268	explorer.exe	41
PID 268 wrote to memory of 1216	268	explorer.exe	41
PID 268 wrote to memory of 1216	268	explorer.exe	41
PID 268 wrote to memory of 1216	268	explorer.exe	41
PID 268 wrote to memory of 1672	268	explorer.exe	42
PID 268 wrote to memory of 1672	268	explorer.exe	42
PID 268 wrote to memory of 1672	268	explorer.exe	42
PID 268 wrote to memory of 1672	268	explorer.exe	42
PID 268 wrote to memory of 1508	268	explorer.exe	43
PID 268 wrote to memory of 1508	268	explorer.exe	43
PID 268 wrote to memory of 1508	268	explorer.exe	43
PID 268 wrote to memory of 1508	268	explorer.exe	43
PID 268 wrote to memory of 1768	268	explorer.exe	44
PID 268 wrote to memory of 1768	268	explorer.exe	44
PID 268 wrote to memory of 1768	268	explorer.exe	44
PID 268 wrote to memory of 1768	268	explorer.exe	44
PID 268 wrote to memory of 924	268	explorer.exe	45
PID 268 wrote to memory of 924	268	explorer.exe	45
PID 268 wrote to memory of 924	268	explorer.exe	45
PID 268 wrote to memory of 924	268	explorer.exe	45
PID 268 wrote to memory of 1848	268	explorer.exe	46
PID 268 wrote to memory of 1848	268	explorer.exe	46
PID 268 wrote to memory of 1848	268	explorer.exe	46
PID 268 wrote to memory of 1848	268	explorer.exe	46
PID 268 wrote to memory of 1312	268	explorer.exe	47
PID 268 wrote to memory of 1312	268	explorer.exe	47
PID 268 wrote to memory of 1312	268	explorer.exe	47
PID 268 wrote to memory of 1312	268	explorer.exe	47
PID 268 wrote to memory of 1872	268	explorer.exe	48
PID 268 wrote to memory of 1872	268	explorer.exe	48
PID 268 wrote to memory of 1872	268	explorer.exe	48
PID 268 wrote to memory of 1872	268	explorer.exe	48
PID 268 wrote to memory of 1628	268	explorer.exe	49
PID 268 wrote to memory of 1628	268	explorer.exe	49
PID 268 wrote to memory of 1628	268	explorer.exe	49
PID 268 wrote to memory of 1628	268	explorer.exe	49
PID 268 wrote to memory of 1900	268	explorer.exe	50
PID 268 wrote to memory of 1900	268	explorer.exe	50
PID 268 wrote to memory of 1900	268	explorer.exe	50
PID 268 wrote to memory of 1900	268	explorer.exe	50
PID 268 wrote to memory of 1996	268	explorer.exe	51
PID 268 wrote to memory of 1996	268	explorer.exe	51
PID 268 wrote to memory of 1996	268	explorer.exe	51
PID 268 wrote to memory of 1996	268	explorer.exe	51
PID 268 wrote to memory of 1180	268	explorer.exe	52
PID 268 wrote to memory of 1180	268	explorer.exe	52
PID 268 wrote to memory of 1180	268	explorer.exe	52
PID 268 wrote to memory of 1180	268	explorer.exe	52
PID 268 wrote to memory of 1664	268	explorer.exe	53
PID 268 wrote to memory of 1664	268	explorer.exe	53
PID 268 wrote to memory of 1664	268	explorer.exe	53
PID 268 wrote to memory of 1664	268	explorer.exe	53
PID 268 wrote to memory of 1556	268	explorer.exe	54
PID 268 wrote to memory of 1556	268	explorer.exe	54
PID 268 wrote to memory of 1556	268	explorer.exe	54
PID 268 wrote to memory of 1556	268	explorer.exe	54
PID 268 wrote to memory of 424	268	explorer.exe	55
PID 268 wrote to memory of 424	268	explorer.exe	55
PID 268 wrote to memory of 424	268	explorer.exe	55
PID 268 wrote to memory of 424	268	explorer.exe	55
PID 268 wrote to memory of 296	268	explorer.exe	56
PID 268 wrote to memory of 296	268	explorer.exe	56
PID 268 wrote to memory of 296	268	explorer.exe	56
PID 268 wrote to memory of 296	268	explorer.exe	56
PID 268 wrote to memory of 1316	268	explorer.exe	57
PID 268 wrote to memory of 1316	268	explorer.exe	57
PID 268 wrote to memory of 1316	268	explorer.exe	57
PID 268 wrote to memory of 1316	268	explorer.exe	57
PID 268 wrote to memory of 1776	268	explorer.exe	58
PID 268 wrote to memory of 1776	268	explorer.exe	58
PID 268 wrote to memory of 1776	268	explorer.exe	58
PID 268 wrote to memory of 1776	268	explorer.exe	58
PID 268 wrote to memory of 1428	268	explorer.exe	59
PID 268 wrote to memory of 1428	268	explorer.exe	59
PID 268 wrote to memory of 1428	268	explorer.exe	59
PID 268 wrote to memory of 1428	268	explorer.exe	59
PID 268 wrote to memory of 1044	268	explorer.exe	60
PID 268 wrote to memory of 1044	268	explorer.exe	60
PID 268 wrote to memory of 1044	268	explorer.exe	60
PID 268 wrote to memory of 1044	268	explorer.exe	60
PID 268 wrote to memory of 1308	268	explorer.exe	61
PID 268 wrote to memory of 1308	268	explorer.exe	61
PID 268 wrote to memory of 1308	268	explorer.exe	61
PID 268 wrote to memory of 1308	268	explorer.exe	61
PID 268 wrote to memory of 1576	268	explorer.exe	62
PID 268 wrote to memory of 1576	268	explorer.exe	62
PID 268 wrote to memory of 1576	268	explorer.exe	62
PID 268 wrote to memory of 1576	268	explorer.exe	62
PID 268 wrote to memory of 1464	268	explorer.exe	63
PID 268 wrote to memory of 1464	268	explorer.exe	63
PID 268 wrote to memory of 1464	268	explorer.exe	63
PID 268 wrote to memory of 1464	268	explorer.exe	63
PID 268 wrote to memory of 1964	268	explorer.exe	64
PID 268 wrote to memory of 1964	268	explorer.exe	64
PID 268 wrote to memory of 1964	268	explorer.exe	64
PID 268 wrote to memory of 1964	268	explorer.exe	64
PID 268 wrote to memory of 896	268	explorer.exe	65
PID 268 wrote to memory of 896	268	explorer.exe	65
PID 268 wrote to memory of 896	268	explorer.exe	65
PID 268 wrote to memory of 896	268	explorer.exe	65
PID 268 wrote to memory of 1492	268	explorer.exe	66
PID 268 wrote to memory of 1492	268	explorer.exe	66
PID 268 wrote to memory of 1492	268	explorer.exe	66
PID 268 wrote to memory of 1492	268	explorer.exe	66
PID 268 wrote to memory of 1404	268	explorer.exe	67
PID 268 wrote to memory of 1404	268	explorer.exe	67
PID 268 wrote to memory of 1404	268	explorer.exe	67
PID 268 wrote to memory of 1404	268	explorer.exe	67
PID 268 wrote to memory of 860	268	explorer.exe	68
PID 268 wrote to memory of 860	268	explorer.exe	68
PID 268 wrote to memory of 860	268	explorer.exe	68
PID 268 wrote to memory of 860	268	explorer.exe	68
PID 268 wrote to memory of 1820	268	explorer.exe	69
PID 268 wrote to memory of 1820	268	explorer.exe	69
PID 268 wrote to memory of 1820	268	explorer.exe	69
PID 268 wrote to memory of 1820	268	explorer.exe	69
PID 268 wrote to memory of 1764	268	explorer.exe	70
PID 268 wrote to memory of 1764	268	explorer.exe	70
PID 268 wrote to memory of 1764	268	explorer.exe	70
PID 268 wrote to memory of 1764	268	explorer.exe	70
PID 268 wrote to memory of 1528	268	explorer.exe	71
PID 268 wrote to memory of 1528	268	explorer.exe	71
PID 268 wrote to memory of 1528	268	explorer.exe	71
PID 268 wrote to memory of 1528	268	explorer.exe	71
PID 268 wrote to memory of 1320	268	explorer.exe	72
PID 268 wrote to memory of 1320	268	explorer.exe	72
PID 268 wrote to memory of 1320	268	explorer.exe	72
PID 268 wrote to memory of 1320	268	explorer.exe	72
PID 268 wrote to memory of 1572	268	explorer.exe	73
PID 268 wrote to memory of 1572	268	explorer.exe	73
PID 268 wrote to memory of 1572	268	explorer.exe	73
PID 268 wrote to memory of 1572	268	explorer.exe	73
PID 268 wrote to memory of 1936	268	explorer.exe	74
PID 268 wrote to memory of 1936	268	explorer.exe	74
PID 268 wrote to memory of 1936	268	explorer.exe	74
PID 268 wrote to memory of 1936	268	explorer.exe	74
PID 268 wrote to memory of 1148	268	explorer.exe	75
PID 268 wrote to memory of 1148	268	explorer.exe	75
PID 268 wrote to memory of 1148	268	explorer.exe	75
PID 268 wrote to memory of 1148	268	explorer.exe	75
PID 268 wrote to memory of 1552	268	explorer.exe	76
PID 268 wrote to memory of 1552	268	explorer.exe	76
PID 268 wrote to memory of 1552	268	explorer.exe	76
PID 268 wrote to memory of 1552	268	explorer.exe	76
PID 268 wrote to memory of 1104	268	explorer.exe	77
PID 268 wrote to memory of 1104	268	explorer.exe	77
PID 268 wrote to memory of 1104	268	explorer.exe	77
PID 268 wrote to memory of 1104	268	explorer.exe	77
PID 268 wrote to memory of 1496	268	explorer.exe	78
PID 268 wrote to memory of 1496	268	explorer.exe	78
PID 268 wrote to memory of 1496	268	explorer.exe	78
PID 268 wrote to memory of 1496	268	explorer.exe	78
PID 268 wrote to memory of 1828	268	explorer.exe	79
PID 268 wrote to memory of 1828	268	explorer.exe	79
PID 268 wrote to memory of 1828	268	explorer.exe	79
PID 268 wrote to memory of 1828	268	explorer.exe	79
PID 268 wrote to memory of 1932	268	explorer.exe	80
PID 268 wrote to memory of 1932	268	explorer.exe	80
PID 268 wrote to memory of 1932	268	explorer.exe	80
PID 268 wrote to memory of 1932	268	explorer.exe	80
PID 268 wrote to memory of 856	268	explorer.exe	81
PID 268 wrote to memory of 856	268	explorer.exe	81
PID 268 wrote to memory of 856	268	explorer.exe	81
PID 268 wrote to memory of 856	268	explorer.exe	81
PID 268 wrote to memory of 1928	268	explorer.exe	82
PID 268 wrote to memory of 1928	268	explorer.exe	82
PID 268 wrote to memory of 1928	268	explorer.exe	82
PID 268 wrote to memory of 1928	268	explorer.exe	82
PID 268 wrote to memory of 2036	268	explorer.exe	83
PID 268 wrote to memory of 2036	268	explorer.exe	83
PID 268 wrote to memory of 2036	268	explorer.exe	83
PID 268 wrote to memory of 2036	268	explorer.exe	83
PID 268 wrote to memory of 1124	268	explorer.exe	84
PID 268 wrote to memory of 1124	268	explorer.exe	84
PID 268 wrote to memory of 1124	268	explorer.exe	84
PID 268 wrote to memory of 1124	268	explorer.exe	84
PID 268 wrote to memory of 1748	268	explorer.exe	85
PID 268 wrote to memory of 1748	268	explorer.exe	85
PID 268 wrote to memory of 1748	268	explorer.exe	85
PID 268 wrote to memory of 1748	268	explorer.exe	85
PID 268 wrote to memory of 1788	268	explorer.exe	86
PID 268 wrote to memory of 1788	268	explorer.exe	86
PID 268 wrote to memory of 1788	268	explorer.exe	86
PID 268 wrote to memory of 1788	268	explorer.exe	86
PID 268 wrote to memory of 600	268	explorer.exe	87
PID 268 wrote to memory of 600	268	explorer.exe	87
PID 268 wrote to memory of 600	268	explorer.exe	87
PID 268 wrote to memory of 600	268	explorer.exe	87
PID 268 wrote to memory of 1620	268	explorer.exe	88
PID 268 wrote to memory of 1620	268	explorer.exe	88
PID 268 wrote to memory of 1620	268	explorer.exe	88
PID 268 wrote to memory of 1620	268	explorer.exe	88
PID 268 wrote to memory of 1948	268	explorer.exe	89
PID 268 wrote to memory of 1948	268	explorer.exe	89
PID 268 wrote to memory of 1948	268	explorer.exe	89
PID 268 wrote to memory of 1948	268	explorer.exe	89
PID 268 wrote to memory of 824	268	explorer.exe	90
PID 268 wrote to memory of 824	268	explorer.exe	90
PID 268 wrote to memory of 824	268	explorer.exe	90
PID 268 wrote to memory of 824	268	explorer.exe	90
PID 268 wrote to memory of 764	268	explorer.exe	91
PID 268 wrote to memory of 764	268	explorer.exe	91
PID 268 wrote to memory of 764	268	explorer.exe	91
PID 268 wrote to memory of 764	268	explorer.exe	91
PID 268 wrote to memory of 1832	268	explorer.exe	92
PID 268 wrote to memory of 1832	268	explorer.exe	92
PID 268 wrote to memory of 1832	268	explorer.exe	92
PID 268 wrote to memory of 1832	268	explorer.exe	92
PID 268 wrote to memory of 1020	268	explorer.exe	93
PID 268 wrote to memory of 1020	268	explorer.exe	93
PID 268 wrote to memory of 1020	268	explorer.exe	93
PID 268 wrote to memory of 1020	268	explorer.exe	93
PID 268 wrote to memory of 1584	268	explorer.exe	94
PID 268 wrote to memory of 1584	268	explorer.exe	94
PID 268 wrote to memory of 1584	268	explorer.exe	94
PID 268 wrote to memory of 1584	268	explorer.exe	94
PID 268 wrote to memory of 1736	268	explorer.exe	95
PID 268 wrote to memory of 1736	268	explorer.exe	95
PID 268 wrote to memory of 1736	268	explorer.exe	95
PID 268 wrote to memory of 1736	268	explorer.exe	95
PID 268 wrote to memory of 1668	268	explorer.exe	96
PID 268 wrote to memory of 1668	268	explorer.exe	96
PID 268 wrote to memory of 1668	268	explorer.exe	96
PID 268 wrote to memory of 1668	268	explorer.exe	96
PID 268 wrote to memory of 1724	268	explorer.exe	98
PID 268 wrote to memory of 1724	268	explorer.exe	98
PID 268 wrote to memory of 1724	268	explorer.exe	98
PID 268 wrote to memory of 1724	268	explorer.exe	98
PID 268 wrote to memory of 300	268	explorer.exe	100
PID 268 wrote to memory of 300	268	explorer.exe	100
PID 268 wrote to memory of 300	268	explorer.exe	100
PID 268 wrote to memory of 300	268	explorer.exe	100
PID 268 wrote to memory of 1760	268	explorer.exe	101
PID 268 wrote to memory of 1760	268	explorer.exe	101
PID 268 wrote to memory of 1760	268	explorer.exe	101
PID 268 wrote to memory of 1760	268	explorer.exe	101
PID 268 wrote to memory of 1092	268	explorer.exe	102
PID 268 wrote to memory of 1092	268	explorer.exe	102
PID 268 wrote to memory of 1092	268	explorer.exe	102
PID 268 wrote to memory of 1092	268	explorer.exe	102
PID 268 wrote to memory of 1296	268	explorer.exe	103
PID 268 wrote to memory of 1296	268	explorer.exe	103
PID 268 wrote to memory of 1296	268	explorer.exe	103
PID 268 wrote to memory of 1296	268	explorer.exe	103
PID 268 wrote to memory of 968	268	explorer.exe	104
PID 268 wrote to memory of 968	268	explorer.exe	104
PID 268 wrote to memory of 968	268	explorer.exe	104
PID 268 wrote to memory of 968	268	explorer.exe	104
PID 268 wrote to memory of 1568	268	explorer.exe	105
PID 268 wrote to memory of 1568	268	explorer.exe	105
PID 268 wrote to memory of 1568	268	explorer.exe	105
PID 268 wrote to memory of 1568	268	explorer.exe	105
PID 268 wrote to memory of 1204	268	explorer.exe	106
PID 268 wrote to memory of 1204	268	explorer.exe	106
PID 268 wrote to memory of 1204	268	explorer.exe	106
PID 268 wrote to memory of 1204	268	explorer.exe	106
PID 268 wrote to memory of 2072	268	explorer.exe	107
PID 268 wrote to memory of 2072	268	explorer.exe	107
PID 268 wrote to memory of 2072	268	explorer.exe	107
PID 268 wrote to memory of 2072	268	explorer.exe	107
PID 268 wrote to memory of 2112	268	explorer.exe	108
PID 268 wrote to memory of 2112	268	explorer.exe	108
PID 268 wrote to memory of 2112	268	explorer.exe	108
PID 268 wrote to memory of 2112	268	explorer.exe	108
PID 268 wrote to memory of 2152	268	explorer.exe	109
PID 268 wrote to memory of 2152	268	explorer.exe	109
PID 268 wrote to memory of 2152	268	explorer.exe	109
PID 268 wrote to memory of 2152	268	explorer.exe	109
PID 268 wrote to memory of 2192	268	explorer.exe	110
PID 268 wrote to memory of 2192	268	explorer.exe	110
PID 268 wrote to memory of 2192	268	explorer.exe	110
PID 268 wrote to memory of 2192	268	explorer.exe	110
PID 268 wrote to memory of 2232	268	explorer.exe	111
PID 268 wrote to memory of 2232	268	explorer.exe	111
PID 268 wrote to memory of 2232	268	explorer.exe	111
PID 268 wrote to memory of 2232	268	explorer.exe	111
PID 268 wrote to memory of 2272	268	explorer.exe	112
PID 268 wrote to memory of 2272	268	explorer.exe	112
PID 268 wrote to memory of 2272	268	explorer.exe	112
PID 268 wrote to memory of 2272	268	explorer.exe	112
PID 268 wrote to memory of 2312	268	explorer.exe	113
PID 268 wrote to memory of 2312	268	explorer.exe	113
PID 268 wrote to memory of 2312	268	explorer.exe	113
PID 268 wrote to memory of 2312	268	explorer.exe	113
PID 268 wrote to memory of 2352	268	explorer.exe	114
PID 268 wrote to memory of 2352	268	explorer.exe	114
PID 268 wrote to memory of 2352	268	explorer.exe	114
PID 268 wrote to memory of 2352	268	explorer.exe	114
PID 268 wrote to memory of 2392	268	explorer.exe	115
PID 268 wrote to memory of 2392	268	explorer.exe	115
PID 268 wrote to memory of 2392	268	explorer.exe	115
PID 268 wrote to memory of 2392	268	explorer.exe	115
PID 812 wrote to memory of 2416	812	spoolsv.exe	116
PID 812 wrote to memory of 2416	812	spoolsv.exe	116
PID 812 wrote to memory of 2416	812	spoolsv.exe	116
PID 812 wrote to memory of 2416	812	spoolsv.exe	116
PID 812 wrote to memory of 2416	812	spoolsv.exe	116
PID 812 wrote to memory of 2416	812	spoolsv.exe	116
PID 812 wrote to memory of 2416	812	spoolsv.exe	116
PID 812 wrote to memory of 2416	812	spoolsv.exe	116
PID 812 wrote to memory of 2416	812	spoolsv.exe	116
PID 812 wrote to memory of 2456	812	spoolsv.exe	117
PID 812 wrote to memory of 2456	812	spoolsv.exe	117
PID 812 wrote to memory of 2456	812	spoolsv.exe	117
PID 812 wrote to memory of 2456	812	spoolsv.exe	117
PID 812 wrote to memory of 2456	812	spoolsv.exe	117
PID 812 wrote to memory of 2456	812	spoolsv.exe	117
PID 1592 wrote to memory of 2508	1592	spoolsv.exe	119
PID 1592 wrote to memory of 2508	1592	spoolsv.exe	119
PID 1592 wrote to memory of 2508	1592	spoolsv.exe	119
PID 1592 wrote to memory of 2508	1592	spoolsv.exe	119
PID 1592 wrote to memory of 2508	1592	spoolsv.exe	119
PID 1592 wrote to memory of 2508	1592	spoolsv.exe	119
PID 1592 wrote to memory of 2508	1592	spoolsv.exe	119
PID 1592 wrote to memory of 2508	1592	spoolsv.exe	119
PID 1592 wrote to memory of 2508	1592	spoolsv.exe	119

C:\Users\Admin\AppData\Local\Temp\3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
"C:\Users\Admin\AppData\Local\Temp\3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe
  "C:\Users\Admin\AppData\Local\Temp\3816c271634e3a2861904c643e3f82fcc3e50ce185394dae41b69e13e0165a95.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1360
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:812
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2416
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1592
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2492
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1304
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-350-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-526-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-704-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-351-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-343-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-702-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-342-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-358-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-359-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-687-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-335-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-686-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-334-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-366-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-367-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-679-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-327-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-678-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-326-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-374-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-375-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-319-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-671-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-318-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-382-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-670-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-383-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-311-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-36-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-310-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-390-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-391-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-37-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-303-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-663-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-302-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-398-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-399-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-662-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-295-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-38-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-294-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-406-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-407-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-39-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-287-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-655-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-286-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-414-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-415-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-654-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-279-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-46-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-278-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-422-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-423-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-47-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-271-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-647-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-270-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-430-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-431-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-646-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-263-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-54-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-262-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-438-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-439-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-55-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-255-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-639-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-254-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-446-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-447-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-638-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-247-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-62-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-246-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-454-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-455-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-63-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-239-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-631-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-238-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-462-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-463-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-630-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-231-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-70-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-230-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-470-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-471-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-71-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-223-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-623-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-222-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-478-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-479-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-622-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-215-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-78-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-214-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-486-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-487-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-79-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-207-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-615-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-206-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-494-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-495-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-614-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-199-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-86-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-198-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-502-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-503-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-87-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-191-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-607-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-190-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-510-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-511-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-606-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-183-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-94-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-182-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-518-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-519-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-95-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-175-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-599-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-174-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-598-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-527-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-102-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-167-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-103-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-166-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-534-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-535-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-591-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-159-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-590-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-158-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-542-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-543-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-110-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-151-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-111-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-150-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-550-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-551-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-583-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-143-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-582-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-142-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-558-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-559-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-118-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-135-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-119-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-134-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-566-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-567-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-575-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-127-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/268-574-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/268-126-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/1360-9-0x0000000002D30000-0x0000000002D41000-memory.dmp

Filesize
68KB

Download
memory/1360-17-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1360-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1360-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1360-12-0x0000000002D30000-0x0000000002D41000-memory.dmp

Filesize
68KB

Download
memory/1360-18-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download
memory/1360-10-0x0000000003140000-0x0000000003151000-memory.dmp

Filesize
68KB

Download
memory/1800-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1800-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download