a63ad17f9da3fb8cf9d4b8c8f6273daec8687e1341a51b21b6e6f6631ef0352f

Analysis

max time kernel
122s
max time network
121s
platform
windows7_x64
resource
win7
submitted
14/07/2020, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlowerPower.exe
Size

5.8MB
MD5

78263df9cd49a86778936bbe067d321f
SHA1

af8b97cde7d3adad1afa14ae955df8390c0b586d
SHA256

a63ad17f9da3fb8cf9d4b8c8f6273daec8687e1341a51b21b6e6f6631ef0352f
SHA512

7be93824a3274a3a47f2848cf5691e0953e06f786dd874651f08ddf80e7e8705b3e684d3be4be5045a848a9517857446523cac9b836f8582d2c9124a0a4a361e

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies the visibility of hidden or system files 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1080	FlowerPower.exe
744	FlowerPower.exe
1676	explorer.exe
1980	spoolsv.exe
1908	explorer.exe
1908	explorer.exe
820	spoolsv.exe
1908	explorer.exe
1324	spoolsv.exe
1908	explorer.exe
1112	spoolsv.exe
1908	explorer.exe

Executes dropped EXE 11 IoCs

pid	Process
1676	explorer.exe
1656	explorer.exe
1908	explorer.exe
1980	spoolsv.exe
1048	spoolsv.exe
820	spoolsv.exe
512	spoolsv.exe
1324	spoolsv.exe
276	spoolsv.exe
1112	spoolsv.exe
1984	spoolsv.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 1076	1080	FlowerPower.exe	26
PID 1076 set thread context of 744	1076	FlowerPower.exe	27
PID 1076 set thread context of 1116	1076	FlowerPower.exe	28
PID 1676 set thread context of 1656	1676	explorer.exe	34
PID 1656 set thread context of 1908	1656	explorer.exe	35
PID 1656 set thread context of 1972	1656	explorer.exe	36
PID 1980 set thread context of 1048	1980	spoolsv.exe	40
PID 820 set thread context of 512	820	spoolsv.exe	44
PID 1324 set thread context of 276	1324	spoolsv.exe	48
PID 1112 set thread context of 1984	1112	spoolsv.exe	52

Loads dropped DLL 16 IoCs

pid	Process
744	FlowerPower.exe
744	FlowerPower.exe
1908	explorer.exe
1908	explorer.exe
1980	spoolsv.exe
1908	explorer.exe
1908	explorer.exe
820	spoolsv.exe
1908	explorer.exe
1908	explorer.exe
1324	spoolsv.exe
1908	explorer.exe
1908	explorer.exe
1112	spoolsv.exe
1908	explorer.exe
1908	explorer.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Adds Run entry to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	FlowerPower.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	FlowerPower.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1080	FlowerPower.exe
1080	FlowerPower.exe
744	FlowerPower.exe
744	FlowerPower.exe
1676	explorer.exe
1676	explorer.exe
1908	explorer.exe
1908	explorer.exe
1980	spoolsv.exe
1980	spoolsv.exe
1908	explorer.exe
1908	explorer.exe
820	spoolsv.exe
820	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1112	spoolsv.exe
1112	spoolsv.exe

Suspicious use of WriteProcessMemory 215 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1172	1080	FlowerPower.exe	24
PID 1080 wrote to memory of 1172	1080	FlowerPower.exe	24
PID 1080 wrote to memory of 1172	1080	FlowerPower.exe	24
PID 1080 wrote to memory of 1172	1080	FlowerPower.exe	24
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1080 wrote to memory of 1076	1080	FlowerPower.exe	26
PID 1076 wrote to memory of 744	1076	FlowerPower.exe	27
PID 1076 wrote to memory of 744	1076	FlowerPower.exe	27
PID 1076 wrote to memory of 744	1076	FlowerPower.exe	27
PID 1076 wrote to memory of 744	1076	FlowerPower.exe	27
PID 1076 wrote to memory of 744	1076	FlowerPower.exe	27
PID 1076 wrote to memory of 744	1076	FlowerPower.exe	27
PID 1076 wrote to memory of 744	1076	FlowerPower.exe	27
PID 1076 wrote to memory of 744	1076	FlowerPower.exe	27
PID 1076 wrote to memory of 744	1076	FlowerPower.exe	27
PID 1076 wrote to memory of 1116	1076	FlowerPower.exe	28
PID 1076 wrote to memory of 1116	1076	FlowerPower.exe	28
PID 1076 wrote to memory of 1116	1076	FlowerPower.exe	28
PID 1076 wrote to memory of 1116	1076	FlowerPower.exe	28
PID 1076 wrote to memory of 1116	1076	FlowerPower.exe	28
PID 1076 wrote to memory of 1116	1076	FlowerPower.exe	28
PID 744 wrote to memory of 1676	744	FlowerPower.exe	29
PID 744 wrote to memory of 1676	744	FlowerPower.exe	29
PID 744 wrote to memory of 1676	744	FlowerPower.exe	29
PID 744 wrote to memory of 1676	744	FlowerPower.exe	29
PID 1676 wrote to memory of 1820	1676	explorer.exe	30
PID 1676 wrote to memory of 1820	1676	explorer.exe	30
PID 1676 wrote to memory of 1820	1676	explorer.exe	30
PID 1676 wrote to memory of 1820	1676	explorer.exe	30
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1676 wrote to memory of 1656	1676	explorer.exe	34
PID 1656 wrote to memory of 1908	1656	explorer.exe	35
PID 1656 wrote to memory of 1908	1656	explorer.exe	35
PID 1656 wrote to memory of 1908	1656	explorer.exe	35
PID 1656 wrote to memory of 1908	1656	explorer.exe	35
PID 1656 wrote to memory of 1908	1656	explorer.exe	35
PID 1656 wrote to memory of 1908	1656	explorer.exe	35
PID 1656 wrote to memory of 1908	1656	explorer.exe	35
PID 1656 wrote to memory of 1908	1656	explorer.exe	35
PID 1656 wrote to memory of 1908	1656	explorer.exe	35
PID 1656 wrote to memory of 1972	1656	explorer.exe	36
PID 1656 wrote to memory of 1972	1656	explorer.exe	36
PID 1656 wrote to memory of 1972	1656	explorer.exe	36
PID 1656 wrote to memory of 1972	1656	explorer.exe	36
PID 1656 wrote to memory of 1972	1656	explorer.exe	36
PID 1656 wrote to memory of 1972	1656	explorer.exe	36
PID 1908 wrote to memory of 1980	1908	explorer.exe	37
PID 1908 wrote to memory of 1980	1908	explorer.exe	37
PID 1908 wrote to memory of 1980	1908	explorer.exe	37
PID 1908 wrote to memory of 1980	1908	explorer.exe	37
PID 1980 wrote to memory of 2036	1980	spoolsv.exe	38
PID 1980 wrote to memory of 2036	1980	spoolsv.exe	38
PID 1980 wrote to memory of 2036	1980	spoolsv.exe	38
PID 1980 wrote to memory of 2036	1980	spoolsv.exe	38
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1980 wrote to memory of 1048	1980	spoolsv.exe	40
PID 1908 wrote to memory of 820	1908	explorer.exe	41
PID 1908 wrote to memory of 820	1908	explorer.exe	41
PID 1908 wrote to memory of 820	1908	explorer.exe	41
PID 1908 wrote to memory of 820	1908	explorer.exe	41
PID 820 wrote to memory of 464	820	spoolsv.exe	42
PID 820 wrote to memory of 464	820	spoolsv.exe	42
PID 820 wrote to memory of 464	820	spoolsv.exe	42
PID 820 wrote to memory of 464	820	spoolsv.exe	42
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 820 wrote to memory of 512	820	spoolsv.exe	44
PID 1908 wrote to memory of 1324	1908	explorer.exe	45
PID 1908 wrote to memory of 1324	1908	explorer.exe	45
PID 1908 wrote to memory of 1324	1908	explorer.exe	45
PID 1908 wrote to memory of 1324	1908	explorer.exe	45
PID 1324 wrote to memory of 1308	1324	spoolsv.exe	46
PID 1324 wrote to memory of 1308	1324	spoolsv.exe	46
PID 1324 wrote to memory of 1308	1324	spoolsv.exe	46
PID 1324 wrote to memory of 1308	1324	spoolsv.exe	46
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1324 wrote to memory of 276	1324	spoolsv.exe	48
PID 1908 wrote to memory of 1112	1908	explorer.exe	49
PID 1908 wrote to memory of 1112	1908	explorer.exe	49
PID 1908 wrote to memory of 1112	1908	explorer.exe	49
PID 1908 wrote to memory of 1112	1908	explorer.exe	49
PID 1112 wrote to memory of 1256	1112	spoolsv.exe	50
PID 1112 wrote to memory of 1256	1112	spoolsv.exe	50
PID 1112 wrote to memory of 1256	1112	spoolsv.exe	50
PID 1112 wrote to memory of 1256	1112	spoolsv.exe	50
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1112 wrote to memory of 1984	1112	spoolsv.exe	52
PID 1908 wrote to memory of 1532	1908	explorer.exe	53
PID 1908 wrote to memory of 1532	1908	explorer.exe	53
PID 1908 wrote to memory of 1532	1908	explorer.exe	53

C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
"C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
  C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Adds Run entry to start application
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
    C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:744
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:1820
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Adds Run entry to start application
        
        PID:1656
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies the visibility of hidden or system files
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Loads dropped DLL
        Modifies Installed Components in the registry
        Adds Run entry to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1048
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:464
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:512
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1256
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1532
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1972
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-99-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/512-83-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/744-30-0x0000000000440000-0x0000000000444000-memory.dmp

Filesize
16KB

Download
memory/744-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-18-0x0000000002FA0000-0x0000000002FB1000-memory.dmp

Filesize
68KB

Download
memory/744-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-15-0x0000000002FA0000-0x0000000002FB1000-memory.dmp

Filesize
68KB

Download
memory/744-31-0x00000000028A0000-0x00000000028A4000-memory.dmp

Filesize
16KB

Download
memory/744-16-0x00000000033B0000-0x00000000033C1000-memory.dmp

Filesize
68KB

Download
memory/1048-68-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1076-1-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1076-4-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1076-5-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1116-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1116-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1656-32-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1908-75-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/1908-59-0x00000000030D0000-0x00000000030E1000-memory.dmp

Filesize
68KB

Download
memory/1908-92-0x00000000030D0000-0x00000000030E1000-memory.dmp

Filesize
68KB

Download
memory/1908-76-0x00000000030D0000-0x00000000030E1000-memory.dmp

Filesize
68KB

Download
memory/1908-61-0x00000000030D0000-0x00000000030E1000-memory.dmp

Filesize
68KB

Download
memory/1908-60-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/1908-91-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/1908-58-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/1908-107-0x00000000030D0000-0x00000000030E1000-memory.dmp

Filesize
68KB

Download
memory/1908-106-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download