warzonerat | 8710b209b3782ced7921249e5dacd6831c1d28eca069dda367706aa9c6bb1b4e

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
Size

2.9MB
MD5

12c606611f8eaadceccc1a8c60983148
SHA1

26d7b0e794f5d9a1db9264a1a8289192050bf746
SHA256

8710b209b3782ced7921249e5dacd6831c1d28eca069dda367706aa9c6bb1b4e
SHA512

a4b3fbb839d6efdae1eb3dd1dd97b630f86273d83960ade7c80fd92d641840ec359dce29e03209d941214f4bf9a801c0f1acdad24c0ef4f177db6480df5990b8
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHs:3Ty7A3mw4gxeOw46fUbNecCCFbNecF

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 31 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1476	explorer.exe
2148	explorer.exe
644	explorer.exe
2304	spoolsv.exe
1680	spoolsv.exe
1428	spoolsv.exe
1528	spoolsv.exe
1908	spoolsv.exe
2636	spoolsv.exe
2432	spoolsv.exe
848	spoolsv.exe
376	spoolsv.exe
2692	spoolsv.exe
2844	spoolsv.exe
2872	spoolsv.exe
2296	spoolsv.exe
1748	spoolsv.exe
1868	spoolsv.exe
2996	spoolsv.exe
2576	spoolsv.exe
2208	spoolsv.exe
2544	spoolsv.exe
2552	spoolsv.exe
1452	spoolsv.exe
2564	spoolsv.exe
2704	spoolsv.exe
1184	spoolsv.exe
584	spoolsv.exe
540	spoolsv.exe
780	spoolsv.exe
1792	spoolsv.exe
2192	spoolsv.exe
2492	spoolsv.exe
2504	spoolsv.exe
2536	spoolsv.exe
332	spoolsv.exe
2432	spoolsv.exe
2720	spoolsv.exe
1568	spoolsv.exe
2896	spoolsv.exe
1400	spoolsv.exe
276	spoolsv.exe
808	spoolsv.exe
1504	spoolsv.exe
2300	spoolsv.exe
1896	spoolsv.exe
2512	spoolsv.exe
2308	spoolsv.exe
320	spoolsv.exe
1324	spoolsv.exe
2428	spoolsv.exe
2176	spoolsv.exe
1576	spoolsv.exe
2984	spoolsv.exe
1696	spoolsv.exe
592	spoolsv.exe
884	spoolsv.exe
2588	spoolsv.exe
2920	spoolsv.exe
2556	spoolsv.exe
2312	spoolsv.exe
2892	spoolsv.exe
1276	spoolsv.exe
1560	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1436	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
1436	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
644	explorer.exe
644	explorer.exe
2304	spoolsv.exe
644	explorer.exe
644	explorer.exe
1428	spoolsv.exe
644	explorer.exe
644	explorer.exe
1908	spoolsv.exe
644	explorer.exe
644	explorer.exe
2432	spoolsv.exe
644	explorer.exe
644	explorer.exe
376	spoolsv.exe
644	explorer.exe
644	explorer.exe
2844	spoolsv.exe
644	explorer.exe
644	explorer.exe
2296	spoolsv.exe
644	explorer.exe
644	explorer.exe
1868	spoolsv.exe
644	explorer.exe
644	explorer.exe
2576	spoolsv.exe
644	explorer.exe
644	explorer.exe
2544	spoolsv.exe
644	explorer.exe
644	explorer.exe
1452	spoolsv.exe
644	explorer.exe
644	explorer.exe
2704	spoolsv.exe
644	explorer.exe
644	explorer.exe
584	spoolsv.exe
644	explorer.exe
644	explorer.exe
780	spoolsv.exe
644	explorer.exe
644	explorer.exe
2192	spoolsv.exe
644	explorer.exe
644	explorer.exe
2504	spoolsv.exe
644	explorer.exe
644	explorer.exe
332	spoolsv.exe
644	explorer.exe
644	explorer.exe
2720	spoolsv.exe
644	explorer.exe
644	explorer.exe
2896	spoolsv.exe
644	explorer.exe
644	explorer.exe
276	spoolsv.exe
644	explorer.exe
644	explorer.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exeexplorer.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2084 set thread context of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 set thread context of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 set thread context of 1356	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	diskperf.exe
PID 1476 set thread context of 2148	1476	explorer.exe	explorer.exe
PID 2148 set thread context of 644	2148	explorer.exe	explorer.exe
PID 2148 set thread context of 1080	2148	explorer.exe	diskperf.exe
PID 2304 set thread context of 1680	2304	spoolsv.exe	spoolsv.exe
PID 1428 set thread context of 1528	1428	spoolsv.exe	spoolsv.exe
PID 1908 set thread context of 2636	1908	spoolsv.exe	spoolsv.exe
PID 2432 set thread context of 848	2432	spoolsv.exe	spoolsv.exe
PID 376 set thread context of 2692	376	spoolsv.exe	spoolsv.exe
PID 2844 set thread context of 2872	2844	spoolsv.exe	spoolsv.exe
PID 2296 set thread context of 1748	2296	spoolsv.exe	spoolsv.exe
PID 1868 set thread context of 2996	1868	spoolsv.exe	spoolsv.exe
PID 2576 set thread context of 2208	2576	spoolsv.exe	spoolsv.exe
PID 2544 set thread context of 2552	2544	spoolsv.exe	spoolsv.exe
PID 1452 set thread context of 2564	1452	spoolsv.exe	spoolsv.exe
PID 2704 set thread context of 1184	2704	spoolsv.exe	spoolsv.exe
PID 584 set thread context of 540	584	spoolsv.exe	spoolsv.exe
PID 780 set thread context of 1792	780	spoolsv.exe	spoolsv.exe
PID 2192 set thread context of 2492	2192	spoolsv.exe	spoolsv.exe
PID 2504 set thread context of 2536	2504	spoolsv.exe	spoolsv.exe
PID 332 set thread context of 2432	332	spoolsv.exe	spoolsv.exe
PID 2720 set thread context of 1568	2720	spoolsv.exe	spoolsv.exe
PID 2896 set thread context of 1400	2896	spoolsv.exe	spoolsv.exe
PID 276 set thread context of 808	276	spoolsv.exe	spoolsv.exe
PID 1504 set thread context of 2300	1504	spoolsv.exe	spoolsv.exe
PID 1896 set thread context of 2512	1896	spoolsv.exe	spoolsv.exe
PID 2308 set thread context of 320	2308	spoolsv.exe	spoolsv.exe
PID 1324 set thread context of 2428	1324	spoolsv.exe	spoolsv.exe
PID 2176 set thread context of 1576	2176	spoolsv.exe	spoolsv.exe
PID 2984 set thread context of 1696	2984	spoolsv.exe	spoolsv.exe
PID 592 set thread context of 884	592	spoolsv.exe	spoolsv.exe
PID 2588 set thread context of 2920	2588	spoolsv.exe	spoolsv.exe
PID 2556 set thread context of 2312	2556	spoolsv.exe	spoolsv.exe
PID 2892 set thread context of 1276	2892	spoolsv.exe	spoolsv.exe
PID 1560 set thread context of 2696	1560	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 2120	1484	spoolsv.exe	spoolsv.exe
PID 1680 set thread context of 908	1680	spoolsv.exe	spoolsv.exe
PID 1680 set thread context of 900	1680	spoolsv.exe	diskperf.exe
PID 1244 set thread context of 2500	1244	spoolsv.exe	spoolsv.exe
PID 1528 set thread context of 2548	1528	spoolsv.exe	spoolsv.exe
PID 1528 set thread context of 2172	1528	spoolsv.exe	diskperf.exe
PID 1180 set thread context of 2444	1180	explorer.exe	explorer.exe
PID 2400 set thread context of 1656	2400	spoolsv.exe	spoolsv.exe
PID 2636 set thread context of 1560	2636	spoolsv.exe	spoolsv.exe
PID 2636 set thread context of 2824	2636	spoolsv.exe	diskperf.exe
PID 848 set thread context of 2708	848	spoolsv.exe	spoolsv.exe
PID 848 set thread context of 2832	848	spoolsv.exe	diskperf.exe
PID 1196 set thread context of 1772	1196	spoolsv.exe	spoolsv.exe
PID 812 set thread context of 1504	812	explorer.exe	explorer.exe
PID 2692 set thread context of 296	2692	spoolsv.exe	spoolsv.exe
PID 1432 set thread context of 2584	1432	spoolsv.exe	spoolsv.exe
PID 2692 set thread context of 744	2692	spoolsv.exe	diskperf.exe
PID 2648 set thread context of 2400	2648	spoolsv.exe	spoolsv.exe
PID 2872 set thread context of 2964	2872	spoolsv.exe	spoolsv.exe
PID 2872 set thread context of 2744	2872	spoolsv.exe	diskperf.exe
PID 1748 set thread context of 700	1748	spoolsv.exe	spoolsv.exe
PID 1748 set thread context of 2372	1748	spoolsv.exe	diskperf.exe
PID 2032 set thread context of 2000	2032	spoolsv.exe	spoolsv.exe
PID 2892 set thread context of 2240	2892	explorer.exe	explorer.exe
PID 2996 set thread context of 2544	2996	spoolsv.exe	spoolsv.exe
PID 2996 set thread context of 2520	2996	spoolsv.exe	diskperf.exe
PID 2396 set thread context of 2568	2396	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 48 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
1436	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
1476	explorer.exe
2304	spoolsv.exe
644	explorer.exe
644	explorer.exe
1428	spoolsv.exe
644	explorer.exe
1908	spoolsv.exe
644	explorer.exe
2432	spoolsv.exe
644	explorer.exe
376	spoolsv.exe
644	explorer.exe
2844	spoolsv.exe
644	explorer.exe
2296	spoolsv.exe
644	explorer.exe
1868	spoolsv.exe
644	explorer.exe
2576	spoolsv.exe
644	explorer.exe
2544	spoolsv.exe
644	explorer.exe
1452	spoolsv.exe
644	explorer.exe
2704	spoolsv.exe
644	explorer.exe
584	spoolsv.exe
644	explorer.exe
780	spoolsv.exe
644	explorer.exe
2192	spoolsv.exe
644	explorer.exe
2504	spoolsv.exe
644	explorer.exe
332	spoolsv.exe
644	explorer.exe
2720	spoolsv.exe
644	explorer.exe
2896	spoolsv.exe
644	explorer.exe
276	spoolsv.exe
644	explorer.exe
1504	spoolsv.exe
644	explorer.exe
1896	spoolsv.exe
644	explorer.exe
2308	spoolsv.exe
644	explorer.exe
1324	spoolsv.exe
644	explorer.exe
2176	spoolsv.exe
644	explorer.exe
2984	spoolsv.exe
644	explorer.exe
592	spoolsv.exe
644	explorer.exe
2588	spoolsv.exe
644	explorer.exe
2556	spoolsv.exe
644	explorer.exe
2892	spoolsv.exe
644	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
1436	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
1436	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
1476	explorer.exe
1476	explorer.exe
644	explorer.exe
644	explorer.exe
2304	spoolsv.exe
2304	spoolsv.exe
644	explorer.exe
644	explorer.exe
1428	spoolsv.exe
1428	spoolsv.exe
1908	spoolsv.exe
1908	spoolsv.exe
2432	spoolsv.exe
2432	spoolsv.exe
376	spoolsv.exe
376	spoolsv.exe
2844	spoolsv.exe
2844	spoolsv.exe
2296	spoolsv.exe
2296	spoolsv.exe
1868	spoolsv.exe
1868	spoolsv.exe
2576	spoolsv.exe
2576	spoolsv.exe
2544	spoolsv.exe
2544	spoolsv.exe
1452	spoolsv.exe
1452	spoolsv.exe
2704	spoolsv.exe
2704	spoolsv.exe
584	spoolsv.exe
584	spoolsv.exe
780	spoolsv.exe
780	spoolsv.exe
2192	spoolsv.exe
2192	spoolsv.exe
2504	spoolsv.exe
2504	spoolsv.exe
332	spoolsv.exe
332	spoolsv.exe
2720	spoolsv.exe
2720	spoolsv.exe
2896	spoolsv.exe
2896	spoolsv.exe
276	spoolsv.exe
276	spoolsv.exe
1504	spoolsv.exe
1504	spoolsv.exe
1896	spoolsv.exe
1896	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
2176	spoolsv.exe
2176	spoolsv.exe
2984	spoolsv.exe
2984	spoolsv.exe
592	spoolsv.exe
592	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2084 wrote to memory of 2052	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	cmd.exe
PID 2084 wrote to memory of 2052	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	cmd.exe
PID 2084 wrote to memory of 2052	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	cmd.exe
PID 2084 wrote to memory of 2052	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	cmd.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 2084 wrote to memory of 1880	2084	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1436	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
PID 1880 wrote to memory of 1356	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	diskperf.exe
PID 1880 wrote to memory of 1356	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	diskperf.exe
PID 1880 wrote to memory of 1356	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	diskperf.exe
PID 1880 wrote to memory of 1356	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	diskperf.exe
PID 1880 wrote to memory of 1356	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	diskperf.exe
PID 1880 wrote to memory of 1356	1880	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	diskperf.exe
PID 1436 wrote to memory of 1476	1436	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	explorer.exe
PID 1436 wrote to memory of 1476	1436	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	explorer.exe
PID 1436 wrote to memory of 1476	1436	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	explorer.exe
PID 1436 wrote to memory of 1476	1436	12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe	explorer.exe
PID 1476 wrote to memory of 772	1476	explorer.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	explorer.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	explorer.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	explorer.exe	cmd.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe
PID 1476 wrote to memory of 2148	1476	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2052

C:\Users\Admin\AppData\Local\Temp\12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\12c606611f8eaadceccc1a8c60983148_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:772

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2148

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:908

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1648

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2708

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1664

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:296

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2964

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:108

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2240

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:700

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2544

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2780

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2788

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2724

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:856

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:2132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
12c606611f8eaadceccc1a8c60983148

SHA1
26d7b0e794f5d9a1db9264a1a8289192050bf746

SHA256
8710b209b3782ced7921249e5dacd6831c1d28eca069dda367706aa9c6bb1b4e

SHA512
a4b3fbb839d6efdae1eb3dd1dd97b630f86273d83960ade7c80fd92d641840ec359dce29e03209d941214f4bf9a801c0f1acdad24c0ef4f177db6480df5990b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
6459cca2ad445f01bc821784a14a8a46

SHA1
7a4f32c30e48e431195d4cd6849c3d4cc3658861

SHA256
3dcf1c2dc6e6abda113016a6874af82a9ef4833dfd1c5e5cb59e717c8a6c3cec

SHA512
fd4b61ce91bf0d68c4b76bbc53e3c2d893d444b545d612144a24ee9cd24cf304a17ba8daf86706b2197bbd9b534df2618853f7e7b5c8f0a850addac24e4c587a

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.9MB

MD5
f00db1ee7f7fda43e0ab3453c3c73df3

SHA1
c88355b2823b4cfe8ca4aaf2ce0b883efeb25e7c

SHA256
121531d79662426408e75cb706d708e09313a5564cef1fc62962521a8c64bfd5

SHA512
7a4b7702912a4a37cd252f8121d58c9b65722ffa35357cc28cb53056fa6d3b4c2bb69f3947373e0125d5d88f027b43a43b4636894c0a16cacd1bf0ee4f569b5b

Download Submit
memory/848-390-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/848-1984-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1184-795-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1356-82-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1356-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1356-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1356-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1400-1126-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1436-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-1838-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1528-294-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1680-242-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1680-1767-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1748-546-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1748-2263-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1792-889-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1880-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1880-50-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1880-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1880-52-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1880-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-80-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1880-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1880-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1880-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1880-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1880-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1880-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2148-146-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2148-175-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2208-653-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2208-2486-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2300-1219-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2536-984-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2552-2571-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2564-748-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2636-1954-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2636-338-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2692-2144-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2692-443-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2872-2211-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2872-493-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2996-2349-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2996-599-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download