warzonerat | 7d9343f796b3d76ae0570829eb54bba8fbcff40055edb53547c02ca34d38599a

Analysis

max time kernel
153s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
Size

2.9MB
MD5

117cda2662205772c16f8b1e88dddfb9
SHA1

2cf2544d356ea2380bb37b77897157cc629ae562
SHA256

7d9343f796b3d76ae0570829eb54bba8fbcff40055edb53547c02ca34d38599a
SHA512

f627ccdd320d5fbf2603d58610c7a15031e4c0c4024826dd61092d0afd9632c33a4b2a8c7a93d93092e4a9bb0750b8c4d5c60f51ea6acf6380b2bbdefc6d5b61
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH9:3Ty7A3mw4gxeOw46fUbNecCCFbNecG

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 21 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 46 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
368	explorer.exe
2780	explorer.exe
4984	explorer.exe
1532	spoolsv.exe
3284	spoolsv.exe
3800	spoolsv.exe
1252	spoolsv.exe
1596	spoolsv.exe
2344	spoolsv.exe
852	spoolsv.exe
1380	spoolsv.exe
2240	spoolsv.exe
4584	spoolsv.exe
4372	spoolsv.exe
4260	spoolsv.exe
468	spoolsv.exe
1116	spoolsv.exe
3580	spoolsv.exe
1864	spoolsv.exe
4628	spoolsv.exe
4928	spoolsv.exe
3204	spoolsv.exe
3136	spoolsv.exe
3668	spoolsv.exe
3840	spoolsv.exe
2428	spoolsv.exe
4824	spoolsv.exe
2952	spoolsv.exe
4764	spoolsv.exe
1028	spoolsv.exe
1948	spoolsv.exe
1764	spoolsv.exe
3200	spoolsv.exe
1144	spoolsv.exe
3852	spoolsv.exe
464	spoolsv.exe
2196	spoolsv.exe
1392	spoolsv.exe
5020	spoolsv.exe
1596	spoolsv.exe
768	spoolsv.exe
852	spoolsv.exe
3248	spoolsv.exe
1616	spoolsv.exe
1028	spoolsv.exe
3028	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 27 IoCs

Processes:

117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 4672 set thread context of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 set thread context of 4480	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 set thread context of 4276	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	diskperf.exe
PID 368 set thread context of 2780	368	explorer.exe	explorer.exe
PID 2780 set thread context of 4984	2780	explorer.exe	explorer.exe
PID 2780 set thread context of 3140	2780	explorer.exe	diskperf.exe
PID 1532 set thread context of 3284	1532	spoolsv.exe	spoolsv.exe
PID 3800 set thread context of 1252	3800	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 2344	1596	spoolsv.exe	spoolsv.exe
PID 852 set thread context of 1380	852	spoolsv.exe	spoolsv.exe
PID 2240 set thread context of 4584	2240	spoolsv.exe	spoolsv.exe
PID 4372 set thread context of 4260	4372	spoolsv.exe	spoolsv.exe
PID 468 set thread context of 1116	468	spoolsv.exe	spoolsv.exe
PID 3580 set thread context of 1864	3580	spoolsv.exe	spoolsv.exe
PID 4628 set thread context of 4928	4628	spoolsv.exe	spoolsv.exe
PID 3204 set thread context of 3136	3204	spoolsv.exe	spoolsv.exe
PID 3668 set thread context of 3840	3668	spoolsv.exe	spoolsv.exe
PID 2428 set thread context of 4824	2428	spoolsv.exe	spoolsv.exe
PID 2952 set thread context of 4764	2952	spoolsv.exe	spoolsv.exe
PID 1028 set thread context of 1948	1028	spoolsv.exe	spoolsv.exe
PID 1764 set thread context of 3200	1764	spoolsv.exe	spoolsv.exe
PID 1144 set thread context of 3852	1144	spoolsv.exe	spoolsv.exe
PID 464 set thread context of 2196	464	spoolsv.exe	spoolsv.exe
PID 1392 set thread context of 5020	1392	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 768	1596	spoolsv.exe	spoolsv.exe
PID 852 set thread context of 3248	852	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 1028	1616	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 26 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
4480	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
4480	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
368	explorer.exe
368	explorer.exe
1532	spoolsv.exe
1532	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
3800	spoolsv.exe
3800	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
1596	spoolsv.exe
1596	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
852	spoolsv.exe
852	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
2240	spoolsv.exe
2240	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
4372	spoolsv.exe
4372	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
468	spoolsv.exe
468	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
3580	spoolsv.exe
3580	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
4628	spoolsv.exe
4628	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
3204	spoolsv.exe
3204	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
3668	spoolsv.exe
3668	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
2428	spoolsv.exe
2428	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
2952	spoolsv.exe
2952	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
1028	spoolsv.exe
1028	spoolsv.exe
4984	explorer.exe
4984	explorer.exe

Suspicious use of SetWindowsHookEx 54 IoCs

Processes:

pid	process
4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
4480	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
4480	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
368	explorer.exe
368	explorer.exe
4984	explorer.exe
4984	explorer.exe
1532	spoolsv.exe
1532	spoolsv.exe
4984	explorer.exe
4984	explorer.exe
3800	spoolsv.exe
3800	spoolsv.exe
1596	spoolsv.exe
1596	spoolsv.exe
852	spoolsv.exe
852	spoolsv.exe
2240	spoolsv.exe
2240	spoolsv.exe
4372	spoolsv.exe
4372	spoolsv.exe
468	spoolsv.exe
468	spoolsv.exe
3580	spoolsv.exe
3580	spoolsv.exe
4628	spoolsv.exe
4628	spoolsv.exe
3204	spoolsv.exe
3204	spoolsv.exe
3668	spoolsv.exe
3668	spoolsv.exe
2428	spoolsv.exe
2428	spoolsv.exe
2952	spoolsv.exe
2952	spoolsv.exe
1028	spoolsv.exe
1028	spoolsv.exe
1764	spoolsv.exe
1764	spoolsv.exe
1144	spoolsv.exe
1144	spoolsv.exe
464	spoolsv.exe
464	spoolsv.exe
1392	spoolsv.exe
1392	spoolsv.exe
1596	spoolsv.exe
1596	spoolsv.exe
852	spoolsv.exe
852	spoolsv.exe
1616	spoolsv.exe
1616	spoolsv.exe
3028	spoolsv.exe
3028	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 4672 wrote to memory of 1928	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	cmd.exe
PID 4672 wrote to memory of 1928	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	cmd.exe
PID 4672 wrote to memory of 1928	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	cmd.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 4672 wrote to memory of 3012	4672	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 wrote to memory of 4480	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 wrote to memory of 4480	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 wrote to memory of 4480	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 wrote to memory of 4480	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 wrote to memory of 4480	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 wrote to memory of 4480	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 wrote to memory of 4480	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 wrote to memory of 4480	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
PID 3012 wrote to memory of 4276	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	diskperf.exe
PID 3012 wrote to memory of 4276	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	diskperf.exe
PID 3012 wrote to memory of 4276	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	diskperf.exe
PID 3012 wrote to memory of 4276	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	diskperf.exe
PID 3012 wrote to memory of 4276	3012	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	diskperf.exe
PID 4480 wrote to memory of 368	4480	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	explorer.exe
PID 4480 wrote to memory of 368	4480	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	explorer.exe
PID 4480 wrote to memory of 368	4480	117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe	explorer.exe
PID 368 wrote to memory of 2344	368	explorer.exe	cmd.exe
PID 368 wrote to memory of 2344	368	explorer.exe	cmd.exe
PID 368 wrote to memory of 2344	368	explorer.exe	cmd.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2780	368	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1928

C:\Users\Admin\AppData\Local\Temp\117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\117cda2662205772c16f8b1e88dddfb9_JaffaCakes118.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2344

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2780

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3196

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:984

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2456

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:5020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
117cda2662205772c16f8b1e88dddfb9

SHA1
2cf2544d356ea2380bb37b77897157cc629ae562

SHA256
7d9343f796b3d76ae0570829eb54bba8fbcff40055edb53547c02ca34d38599a

SHA512
f627ccdd320d5fbf2603d58610c7a15031e4c0c4024826dd61092d0afd9632c33a4b2a8c7a93d93092e4a9bb0750b8c4d5c60f51ea6acf6380b2bbdefc6d5b61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
858fb449349583dc01faac80759eac5a

SHA1
72a176e22b81a6556536d85a5fa7014e6489e512

SHA256
2189a9c8d47189cbb5cbd10d7ebc5442ddb4112a3234bda9bd43b873540d5936

SHA512
5be1020a59ec70ba83ad3fb6ed5c8747f15a6da48cfb6efc36e1d1847a69bff2439b5b467a81246cd3380f23eca0ada1f405f3fb3c1abba085e14412de31c72d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.9MB

MD5
2b522244365398fd4f492cb6463f0d66

SHA1
75657049ceeae5ecac1b3d29b1e332bbb9b11fec

SHA256
3bdbe479856e547ad92e4e4a054e4bdc1950da0fd4bf25addc0c3afd8ed92302

SHA512
6145b9b4ba2263cd7a2839e510a39377abe7fe2a4a0e6e96ce86854f2184e70c731a54a876f1c04242159da2e7210bfb6bf4e074a53d85c2efc8a1391b3b5de8

Download Submit
memory/528-376-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/768-326-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1028-351-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1116-162-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1252-94-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1252-95-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1252-97-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1252-93-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1252-98-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1252-96-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1380-124-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1864-174-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1948-253-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2196-297-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2344-112-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2780-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2780-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2780-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2780-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2780-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2780-65-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2780-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2780-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2780-67-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3012-28-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3012-8-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3012-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3012-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3012-4-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/3012-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3012-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3012-5-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3012-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3012-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3012-10-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3012-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3012-11-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3012-13-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/3136-200-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3196-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3200-268-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3248-339-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3284-363-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3284-111-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3284-87-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3284-84-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3284-82-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3284-81-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3284-85-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3284-83-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3840-211-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3852-282-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4260-149-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4276-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4276-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4276-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4480-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-137-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4764-239-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4824-225-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4928-187-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4984-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5020-312-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download