warzonerat | 667ea3c2938067fd8020de96e7843b5aa60651d3331af0f45f60fa877a00a439

General

Target

02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
Size

2.9MB
MD5

02f5590ee8b795b44180a81b4bbbd2f1
SHA1

beb95708a8fe56663e1bf3ab788b031f0b4c1613
SHA256

667ea3c2938067fd8020de96e7843b5aa60651d3331af0f45f60fa877a00a439
SHA512

4edb0c13c443863fc53ef0cee24cece6c7bc46f75dc02db241bd1068009c1e22b4b5ca806c1cdba3c771f9bd3031b8c49c2bbf41b11d48d280e6f333a0b908fe
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHS:3Ty7A3mw4gxeOw46fUbNecCCFbNecB

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 23 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2772	explorer.exe
1192	explorer.exe
1100	explorer.exe
980	spoolsv.exe
964	spoolsv.exe
1608	spoolsv.exe
1732	spoolsv.exe
1880	spoolsv.exe
2424	spoolsv.exe
3012	spoolsv.exe
2392	spoolsv.exe
2812	spoolsv.exe
1876	spoolsv.exe
600	spoolsv.exe
336	spoolsv.exe
1620	spoolsv.exe
1112	spoolsv.exe
1236	spoolsv.exe
780	spoolsv.exe
2588	spoolsv.exe
1524	spoolsv.exe
272	spoolsv.exe
2536	spoolsv.exe
1540	spoolsv.exe
2668	spoolsv.exe
3004	spoolsv.exe
1980	spoolsv.exe
976	spoolsv.exe
1644	spoolsv.exe
3056	spoolsv.exe
1284	spoolsv.exe
1816	spoolsv.exe
2296	spoolsv.exe
2524	spoolsv.exe
1736	spoolsv.exe
2528	spoolsv.exe
1444	spoolsv.exe
2348	spoolsv.exe
2124	spoolsv.exe
2772	spoolsv.exe
600	spoolsv.exe
1248	spoolsv.exe
1572	spoolsv.exe
1600	spoolsv.exe
856	spoolsv.exe
2432	spoolsv.exe
2316	spoolsv.exe
2560	spoolsv.exe
1768	spoolsv.exe
2780	spoolsv.exe
2920	spoolsv.exe
2736	spoolsv.exe
1260	spoolsv.exe
2888	spoolsv.exe
2692	spoolsv.exe
412	spoolsv.exe
1536	spoolsv.exe
1692	spoolsv.exe
2320	spoolsv.exe
2708	spoolsv.exe
2120	spoolsv.exe
1544	spoolsv.exe
960	spoolsv.exe
868	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2988	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
2988	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
1100	explorer.exe
1100	explorer.exe
980	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
1608	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
1880	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
3012	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
2812	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
600	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
1620	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
1236	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
2588	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
272	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
1540	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
3004	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
976	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
3056	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
1816	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
2524	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
2528	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
2348	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
2772	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
1248	spoolsv.exe
1100	explorer.exe
1100	explorer.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exe02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 44 IoCs

Processes:

02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

description	pid	process	target process
PID 2168 set thread context of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 set thread context of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 set thread context of 2132	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	diskperf.exe
PID 2772 set thread context of 1192	2772	explorer.exe	explorer.exe
PID 1192 set thread context of 1100	1192	explorer.exe	explorer.exe
PID 1192 set thread context of 1772	1192	explorer.exe	diskperf.exe
PID 980 set thread context of 964	980	spoolsv.exe	spoolsv.exe
PID 1608 set thread context of 1732	1608	spoolsv.exe	spoolsv.exe
PID 1880 set thread context of 2424	1880	spoolsv.exe	spoolsv.exe
PID 3012 set thread context of 2392	3012	spoolsv.exe	spoolsv.exe
PID 2812 set thread context of 1876	2812	spoolsv.exe	spoolsv.exe
PID 600 set thread context of 336	600	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 1112	1620	spoolsv.exe	spoolsv.exe
PID 1236 set thread context of 780	1236	spoolsv.exe	spoolsv.exe
PID 2588 set thread context of 1524	2588	spoolsv.exe	spoolsv.exe
PID 272 set thread context of 2536	272	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 2668	1540	spoolsv.exe	spoolsv.exe
PID 3004 set thread context of 1980	3004	spoolsv.exe	spoolsv.exe
PID 976 set thread context of 1644	976	spoolsv.exe	spoolsv.exe
PID 3056 set thread context of 1284	3056	spoolsv.exe	spoolsv.exe
PID 1816 set thread context of 2296	1816	spoolsv.exe	spoolsv.exe
PID 2524 set thread context of 1736	2524	spoolsv.exe	spoolsv.exe
PID 2528 set thread context of 1444	2528	spoolsv.exe	spoolsv.exe
PID 2348 set thread context of 2124	2348	spoolsv.exe	spoolsv.exe
PID 2772 set thread context of 600	2772	spoolsv.exe	spoolsv.exe
PID 1248 set thread context of 1572	1248	spoolsv.exe	spoolsv.exe
PID 1600 set thread context of 856	1600	spoolsv.exe	spoolsv.exe
PID 2432 set thread context of 2316	2432	spoolsv.exe	spoolsv.exe
PID 2560 set thread context of 1768	2560	spoolsv.exe	spoolsv.exe
PID 2780 set thread context of 2920	2780	spoolsv.exe	spoolsv.exe
PID 2736 set thread context of 1260	2736	spoolsv.exe	spoolsv.exe
PID 2888 set thread context of 2692	2888	spoolsv.exe	spoolsv.exe
PID 412 set thread context of 1536	412	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 2320	1692	spoolsv.exe	spoolsv.exe
PID 2708 set thread context of 2120	2708	spoolsv.exe	spoolsv.exe
PID 1544 set thread context of 960	1544	spoolsv.exe	spoolsv.exe
PID 868 set thread context of 2880	868	spoolsv.exe	spoolsv.exe
PID 2488 set thread context of 852	2488	spoolsv.exe	spoolsv.exe
PID 964 set thread context of 2684	964	spoolsv.exe	spoolsv.exe
PID 964 set thread context of 1232	964	spoolsv.exe	diskperf.exe
PID 1468 set thread context of 1676	1468	spoolsv.exe	spoolsv.exe
PID 1732 set thread context of 2100	1732	spoolsv.exe	spoolsv.exe
PID 1732 set thread context of 2568	1732	spoolsv.exe	diskperf.exe
PID 1600 set thread context of 908	1600	explorer.exe	explorer.exe

Drops file in Windows directory 39 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
2988	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
2772	explorer.exe
980	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
1608	spoolsv.exe
1100	explorer.exe
1880	spoolsv.exe
1100	explorer.exe
3012	spoolsv.exe
1100	explorer.exe
2812	spoolsv.exe
1100	explorer.exe
600	spoolsv.exe
1100	explorer.exe
1620	spoolsv.exe
1100	explorer.exe
1236	spoolsv.exe
1100	explorer.exe
2588	spoolsv.exe
1100	explorer.exe
272	spoolsv.exe
1100	explorer.exe
1540	spoolsv.exe
1100	explorer.exe
3004	spoolsv.exe
1100	explorer.exe
976	spoolsv.exe
1100	explorer.exe
3056	spoolsv.exe
1100	explorer.exe
1816	spoolsv.exe
1100	explorer.exe
2524	spoolsv.exe
1100	explorer.exe
2528	spoolsv.exe
1100	explorer.exe
2348	spoolsv.exe
1100	explorer.exe
2772	spoolsv.exe
1100	explorer.exe
1248	spoolsv.exe
1100	explorer.exe
1600	spoolsv.exe
1100	explorer.exe
2432	spoolsv.exe
1100	explorer.exe
2560	spoolsv.exe
1100	explorer.exe
2780	spoolsv.exe
1100	explorer.exe
2736	spoolsv.exe
1100	explorer.exe
2888	spoolsv.exe
1100	explorer.exe
412	spoolsv.exe
1100	explorer.exe
1692	spoolsv.exe
1100	explorer.exe
2708	spoolsv.exe
1100	explorer.exe
1544	spoolsv.exe
1100	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
2988	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
2988	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
2772	explorer.exe
2772	explorer.exe
1100	explorer.exe
1100	explorer.exe
980	spoolsv.exe
980	spoolsv.exe
1100	explorer.exe
1100	explorer.exe
1608	spoolsv.exe
1608	spoolsv.exe
1880	spoolsv.exe
1880	spoolsv.exe
3012	spoolsv.exe
3012	spoolsv.exe
2812	spoolsv.exe
2812	spoolsv.exe
600	spoolsv.exe
600	spoolsv.exe
1620	spoolsv.exe
1620	spoolsv.exe
1236	spoolsv.exe
1236	spoolsv.exe
2588	spoolsv.exe
2588	spoolsv.exe
272	spoolsv.exe
272	spoolsv.exe
1540	spoolsv.exe
1540	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
976	spoolsv.exe
976	spoolsv.exe
3056	spoolsv.exe
3056	spoolsv.exe
1816	spoolsv.exe
1816	spoolsv.exe
2524	spoolsv.exe
2524	spoolsv.exe
2528	spoolsv.exe
2528	spoolsv.exe
2348	spoolsv.exe
2348	spoolsv.exe
2772	spoolsv.exe
2772	spoolsv.exe
1248	spoolsv.exe
1248	spoolsv.exe
1600	spoolsv.exe
1600	spoolsv.exe
2432	spoolsv.exe
2432	spoolsv.exe
2560	spoolsv.exe
2560	spoolsv.exe
2780	spoolsv.exe
2780	spoolsv.exe
2736	spoolsv.exe
2736	spoolsv.exe
2888	spoolsv.exe
2888	spoolsv.exe
412	spoolsv.exe
412	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2168 wrote to memory of 2728	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	cmd.exe
PID 2168 wrote to memory of 2728	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	cmd.exe
PID 2168 wrote to memory of 2728	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	cmd.exe
PID 2168 wrote to memory of 2728	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	cmd.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 2168 wrote to memory of 1044	2168	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2988	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
PID 1044 wrote to memory of 2132	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	diskperf.exe
PID 1044 wrote to memory of 2132	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	diskperf.exe
PID 1044 wrote to memory of 2132	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	diskperf.exe
PID 1044 wrote to memory of 2132	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	diskperf.exe
PID 1044 wrote to memory of 2132	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	diskperf.exe
PID 1044 wrote to memory of 2132	1044	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	diskperf.exe
PID 2988 wrote to memory of 2772	2988	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	explorer.exe
PID 2988 wrote to memory of 2772	2988	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	explorer.exe
PID 2988 wrote to memory of 2772	2988	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	explorer.exe
PID 2988 wrote to memory of 2772	2988	02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe	explorer.exe
PID 2772 wrote to memory of 1876	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 1876	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 1876	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 1876	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 1192	2772	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2728

C:\Users\Admin\AppData\Local\Temp\02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02f5590ee8b795b44180a81b4bbbd2f1_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:1876

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1192

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2684

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1936

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2464

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2928

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1696

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2160

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2776

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2132

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
2.9MB

MD5
02f5590ee8b795b44180a81b4bbbd2f1

SHA1
beb95708a8fe56663e1bf3ab788b031f0b4c1613

SHA256
667ea3c2938067fd8020de96e7843b5aa60651d3331af0f45f60fa877a00a439

SHA512
4edb0c13c443863fc53ef0cee24cece6c7bc46f75dc02db241bd1068009c1e22b4b5ca806c1cdba3c771f9bd3031b8c49c2bbf41b11d48d280e6f333a0b908fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\system\explorer.exe
Filesize
2.9MB

MD5
093d573bd3fc75b44eee6f4d2218d548

SHA1
31782fda33c84ae9f167d7f86866f32eb805d9f3

SHA256
d0ee1b9d0c8a4c0d361b3cbb7cffc590f071bf223afcad0c68b27798131ff353

SHA512
0b41b19dfbe7c58c6457f74aa2e8ba9f51535514e76d2d74dc3beeaafbdf70c8a8871104493420fa136799c989132e1b6b7f3487ad534039081d917baf68736b

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.9MB

MD5
205cf6506e95d7f24bae7413c24fc52e

SHA1
f67fd2184de5b7b0bdff99a590a70f2642d0549d

SHA256
7bbc4164bf4d16a5cca418c345d033068572be9482dc9c58577a223e6e363434

SHA512
3c0291685b252b65a23d87673d72be42ef5f5e5ac8eba4d48881189fa86c6360d804555d5729b5641c888f7adc5e26288e7402ac88c87615b00da3eca73decd2

Download Submit
memory/336-2146-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/336-493-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/964-1753-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/964-244-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1044-52-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-38-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1044-39-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1044-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-45-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1044-50-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1044-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1044-53-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/1044-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-81-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-42-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1044-86-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1044-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-47-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1044-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-49-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/1112-547-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1112-2304-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1192-177-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1192-140-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1732-293-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1732-1822-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1876-2119-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1876-438-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2132-87-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2132-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2392-1961-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2392-391-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2424-1894-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2424-341-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2988-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads