warzonerat | a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3

Analysis

max time kernel
109s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
Size

1.8MB
MD5

57bcfe41a00e95a924ecedc5571da466
SHA1

c1eaaf1e21bc6684165432c4b440047fb5a37c19
SHA256

a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3
SHA512

c78a6b3a6336f0190f15870b8cb178dbefd2857137e4cd2e1a7295467b16d515730407b73016a0d5bcdfe9c107eb8118b8324b8548fc3c8c55d8e527f4dc1c1b
SSDEEP

12288:p99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN/A7W2FeDSIGVH/KIDgv:r1gg4CppEI6GGfWDkCQDbGV6eH81kI

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects executables packed with ASPack 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2132-0-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2132-2-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2132-14-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
C:\Windows\System\explorer.exe	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/992-23-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/992-27-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/992-41-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
C:\Windows\System\spoolsv.exe	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1832-52-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2120-59-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4580-62-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4348-66-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4336-73-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2276-75-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3788-70-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1832-69-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3180-80-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4580-84-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3316-85-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4348-89-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2120-79-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3788-93-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2192-98-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2276-97-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1096-101-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3316-104-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4316-110-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1160-109-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1264-115-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2092-114-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1388-120-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2192-119-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4464-105-0x0000000000400000-0x0000000000514000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
992	explorer.exe
2988	explorer.exe
1832	spoolsv.exe
4336	spoolsv.exe
2120	spoolsv.exe
4580	spoolsv.exe
4348	spoolsv.exe
3788	spoolsv.exe
2276	spoolsv.exe
3180	spoolsv.exe
3316	spoolsv.exe
1160	spoolsv.exe
2092	spoolsv.exe
2192	spoolsv.exe
1096	spoolsv.exe
4464	spoolsv.exe
4316	spoolsv.exe
1264	spoolsv.exe
1388	spoolsv.exe
4264	spoolsv.exe
4504	spoolsv.exe
3192	spoolsv.exe
5056	spoolsv.exe
3144	spoolsv.exe
4916	spoolsv.exe
2724	spoolsv.exe
4660	spoolsv.exe
1752	spoolsv.exe
2320	spoolsv.exe
4352	spoolsv.exe
2676	spoolsv.exe
3496	spoolsv.exe
3280	spoolsv.exe
3944	spoolsv.exe
1344	spoolsv.exe
3332	spoolsv.exe
3244	spoolsv.exe
3392	spoolsv.exe
368	spoolsv.exe
1988	spoolsv.exe
2660	spoolsv.exe
3268	spoolsv.exe
3812	spoolsv.exe
2212	spoolsv.exe
2444	spoolsv.exe
1844	spoolsv.exe
4472	spoolsv.exe
1716	spoolsv.exe
940	spoolsv.exe
404	spoolsv.exe
1828	spoolsv.exe
1332	spoolsv.exe
3088	spoolsv.exe
3008	spoolsv.exe
2040	spoolsv.exe
2596	spoolsv.exe
4076	spoolsv.exe
3460	spoolsv.exe
5072	spoolsv.exe
1400	spoolsv.exe
2548	spoolsv.exe
2688	spoolsv.exe
4332	spoolsv.exe
3064	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exeexplorer.exe

description	pid	process	target process
PID 2132 set thread context of 2460	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
PID 2132 set thread context of 8	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	diskperf.exe
PID 992 set thread context of 2988	992	explorer.exe	explorer.exe
PID 992 set thread context of 3004	992	explorer.exe	diskperf.exe

Drops file in Windows directory 3 IoCs

Processes:

a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exeexplorer.exe

pid	process
2460	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
2460	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2988 explorer.exe

pid	process
2988	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exeexplorer.exe

pid	process
2460	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
2460	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exea1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2132 wrote to memory of 2460	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
PID 2132 wrote to memory of 2460	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
PID 2132 wrote to memory of 2460	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
PID 2132 wrote to memory of 2460	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
PID 2132 wrote to memory of 2460	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
PID 2132 wrote to memory of 2460	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
PID 2132 wrote to memory of 2460	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
PID 2132 wrote to memory of 2460	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
PID 2132 wrote to memory of 8	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	diskperf.exe
PID 2132 wrote to memory of 8	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	diskperf.exe
PID 2132 wrote to memory of 8	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	diskperf.exe
PID 2132 wrote to memory of 8	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	diskperf.exe
PID 2132 wrote to memory of 8	2132	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	diskperf.exe
PID 2460 wrote to memory of 992	2460	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	explorer.exe
PID 2460 wrote to memory of 992	2460	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	explorer.exe
PID 2460 wrote to memory of 992	2460	a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe	explorer.exe
PID 992 wrote to memory of 2988	992	explorer.exe	explorer.exe
PID 992 wrote to memory of 2988	992	explorer.exe	explorer.exe
PID 992 wrote to memory of 2988	992	explorer.exe	explorer.exe
PID 992 wrote to memory of 2988	992	explorer.exe	explorer.exe
PID 992 wrote to memory of 2988	992	explorer.exe	explorer.exe
PID 992 wrote to memory of 2988	992	explorer.exe	explorer.exe
PID 992 wrote to memory of 2988	992	explorer.exe	explorer.exe
PID 992 wrote to memory of 2988	992	explorer.exe	explorer.exe
PID 992 wrote to memory of 3004	992	explorer.exe	diskperf.exe
PID 992 wrote to memory of 3004	992	explorer.exe	diskperf.exe
PID 992 wrote to memory of 3004	992	explorer.exe	diskperf.exe
PID 992 wrote to memory of 3004	992	explorer.exe	diskperf.exe
PID 992 wrote to memory of 3004	992	explorer.exe	diskperf.exe
PID 2988 wrote to memory of 1832	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 1832	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 1832	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 4336	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 4336	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 4336	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2120	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2120	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2120	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 4580	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 4580	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 4580	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 4348	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 4348	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 4348	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 3788	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 3788	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 3788	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2276	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2276	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2276	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 3180	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 3180	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 3180	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 3316	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 3316	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 3316	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 1160	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 1160	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 1160	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2092	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2092	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2092	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2192	2988	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2192	2988	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
"C:\Users\Admin\AppData\Local\Temp\a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe
"C:\Users\Admin\AppData\Local\Temp\a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:992

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:3004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
1.8MB

MD5
57bcfe41a00e95a924ecedc5571da466

SHA1
c1eaaf1e21bc6684165432c4b440047fb5a37c19

SHA256
a1065cf7baa5d762a6245ccef99496c102c6b6a5afada8f385e66d9f3c3361f3

SHA512
c78a6b3a6336f0190f15870b8cb178dbefd2857137e4cd2e1a7295467b16d515730407b73016a0d5bcdfe9c107eb8118b8324b8548fc3c8c55d8e527f4dc1c1b

Download Submit
C:\Windows\System\explorer.exe
Filesize
1.8MB

MD5
d338e30fd2d0372c58f863512913d373

SHA1
1133ae8041ebcb634962afae359b6e43a5309e4a

SHA256
1d957fd4d4cc5db7d06c171f97d5044cdc5caa545af3db3ee01192e67939a121

SHA512
701f41ec105b9daf6be671920a18362b844fbcf4f79b12c7f58da0cd6488350ec998f7b06b3ec9ffcc8f0b096c520c2e941b8c187eef11bb00fb8d80943ec835

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
1.8MB

MD5
4e6bdff64b999c195456d1a6be8c5cbd

SHA1
8adcccad3e16882ff5dc1f4787d91a410766f8d0

SHA256
9b11c26bcfc48ad683a8e59b4e99120c41a1dbfd87e09796082b2ba353521eea

SHA512
07e225e0cc67f50c88a7940595218b278993a192a09b85084a94b6e69116f0076d2414f2c226ad5474c46f6767ffea6b829b4ef4e77316bab8ccde8b65948462

Download Submit
memory/8-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/8-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/8-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/992-24-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/992-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/992-27-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/992-28-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/992-41-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1096-102-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1096-101-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1160-112-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1160-109-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1160-90-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1264-115-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1264-116-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1388-120-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1832-53-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1832-52-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1832-69-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1832-72-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2092-114-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2092-94-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2092-117-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2120-60-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2120-59-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2120-79-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2120-83-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2132-14-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2132-3-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2132-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2132-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2132-1-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2192-98-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2192-119-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2192-99-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2276-75-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2276-97-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2276-77-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2460-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-44-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3180-81-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/3180-80-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3316-85-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3316-86-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/3316-106-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/3316-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3788-71-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3788-93-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3788-96-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3788-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4316-110-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4316-111-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4336-76-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4336-73-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4336-57-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4348-92-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4348-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4348-67-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4348-89-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4464-107-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4464-105-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4580-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4580-62-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4580-63-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4580-88-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download