warzonerat | ef852e8e54efe51c2c490e4d04960d3eea67de8f03387e6a51c36cb47b8cd45a

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
Size

2.7MB
MD5

1c8fcfc8d779cb710f0f968d82b9342e
SHA1

b3bf6dd4094ea6127f6d8058aee3bd1d6b9d9872
SHA256

ef852e8e54efe51c2c490e4d04960d3eea67de8f03387e6a51c36cb47b8cd45a
SHA512

631b453a30cd9617e5635e48be4c877a678910f2636c359cc7c022ef2551cff750da1a20d584b1a3ca3d9a51b672b24d9244cf33356ec8d3c6790581acfa70a2
SSDEEP

24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH81w:fF6mw4gxeOw46fUbNecCCFbNecG

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 7 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 38 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

pid	process
2040	explorer.exe
1528	explorer.exe
688	explorer.exe
2108	spoolsv.exe
2164	spoolsv.exe
1728	spoolsv.exe
1664	spoolsv.exe
2632	spoolsv.exe
2568	spoolsv.exe
1012	spoolsv.exe
1780	spoolsv.exe
1876	spoolsv.exe
1772	spoolsv.exe
2760	spoolsv.exe
300	spoolsv.exe
584	spoolsv.exe
1320	spoolsv.exe
2180	spoolsv.exe
2920	spoolsv.exe
2300	spoolsv.exe
1244	spoolsv.exe
1120	spoolsv.exe
2344	spoolsv.exe
1796	spoolsv.exe
2456	spoolsv.exe
2064	spoolsv.exe
588	spoolsv.exe
2956	spoolsv.exe
2924	spoolsv.exe
2200	spoolsv.exe
1624	spoolsv.exe
2496	spoolsv.exe
1520	spoolsv.exe
1808	spoolsv.exe
580	spoolsv.exe
2724	explorer.exe
964	spoolsv.exe
2080	spoolsv.exe

Loads dropped DLL 55 IoCs

Processes:

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1316	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
1316	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
688	explorer.exe
688	explorer.exe
2108	spoolsv.exe
688	explorer.exe
688	explorer.exe
1728	spoolsv.exe
688	explorer.exe
688	explorer.exe
2632	spoolsv.exe
688	explorer.exe
688	explorer.exe
1012	spoolsv.exe
688	explorer.exe
688	explorer.exe
1876	spoolsv.exe
688	explorer.exe
688	explorer.exe
2760	spoolsv.exe
688	explorer.exe
688	explorer.exe
584	spoolsv.exe
688	explorer.exe
688	explorer.exe
2180	spoolsv.exe
688	explorer.exe
688	explorer.exe
2300	spoolsv.exe
688	explorer.exe
688	explorer.exe
1120	spoolsv.exe
688	explorer.exe
688	explorer.exe
1796	spoolsv.exe
688	explorer.exe
688	explorer.exe
2064	spoolsv.exe
688	explorer.exe
688	explorer.exe
2956	spoolsv.exe
688	explorer.exe
688	explorer.exe
2200	spoolsv.exe
688	explorer.exe
688	explorer.exe
2496	spoolsv.exe
688	explorer.exe
688	explorer.exe
1808	spoolsv.exe
2164	spoolsv.exe
580	spoolsv.exe
688	explorer.exe
688	explorer.exe
1664	spoolsv.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1592-0-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1592-43-0x0000000000400000-0x0000000000445000-memory.dmp	upx
C:\Windows\system\explorer.exe	upx
behavioral1/memory/2040-101-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2040-146-0x0000000000400000-0x0000000000445000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	upx
\Windows\system\spoolsv.exe	upx
behavioral1/memory/2108-246-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1728-264-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2632-311-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1012-365-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1876-441-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2760-477-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/584-533-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2180-590-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2180-614-0x00000000002D0000-0x0000000000315000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe

Suspicious use of SetThreadContext 24 IoCs

Processes:

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1592 set thread context of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 set thread context of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 set thread context of 276	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 2040 set thread context of 1528	2040	explorer.exe	explorer.exe
PID 1528 set thread context of 688	1528	explorer.exe	explorer.exe
PID 1528 set thread context of 880	1528	explorer.exe	diskperf.exe
PID 2108 set thread context of 2164	2108	spoolsv.exe	spoolsv.exe
PID 1728 set thread context of 1664	1728	spoolsv.exe	spoolsv.exe
PID 2632 set thread context of 2568	2632	spoolsv.exe	spoolsv.exe
PID 1012 set thread context of 1780	1012	spoolsv.exe	spoolsv.exe
PID 1876 set thread context of 1772	1876	spoolsv.exe	spoolsv.exe
PID 2760 set thread context of 300	2760	spoolsv.exe	spoolsv.exe
PID 584 set thread context of 1320	584	spoolsv.exe	spoolsv.exe
PID 2180 set thread context of 2920	2180	spoolsv.exe	spoolsv.exe
PID 2300 set thread context of 1244	2300	spoolsv.exe	spoolsv.exe
PID 1120 set thread context of 2344	1120	spoolsv.exe	spoolsv.exe
PID 1796 set thread context of 2456	1796	spoolsv.exe	spoolsv.exe
PID 2064 set thread context of 588	2064	spoolsv.exe	spoolsv.exe
PID 2956 set thread context of 2924	2956	spoolsv.exe	spoolsv.exe
PID 2200 set thread context of 1624	2200	spoolsv.exe	spoolsv.exe
PID 2496 set thread context of 1520	2496	spoolsv.exe	spoolsv.exe
PID 2164 set thread context of 580	2164	spoolsv.exe	spoolsv.exe
PID 1808 set thread context of 964	1808	spoolsv.exe	spoolsv.exe
PID 2164 set thread context of 940	2164	spoolsv.exe	diskperf.exe

Drops file in Windows directory 22 IoCs

Processes:

spoolsv.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

pid	process
1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
1316	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
2040	explorer.exe
2108	spoolsv.exe
688	explorer.exe
688	explorer.exe
1728	spoolsv.exe
688	explorer.exe
2632	spoolsv.exe
688	explorer.exe
1012	spoolsv.exe
688	explorer.exe
1876	spoolsv.exe
688	explorer.exe
2760	spoolsv.exe
688	explorer.exe
584	spoolsv.exe
688	explorer.exe
2180	spoolsv.exe
688	explorer.exe
2300	spoolsv.exe
688	explorer.exe
1120	spoolsv.exe
688	explorer.exe
1796	spoolsv.exe
688	explorer.exe
2064	spoolsv.exe
688	explorer.exe
2956	spoolsv.exe
688	explorer.exe
2200	spoolsv.exe
688	explorer.exe
2496	spoolsv.exe
688	explorer.exe
1808	spoolsv.exe
688	explorer.exe
2724	explorer.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

pid	process
1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
1316	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
1316	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
2040	explorer.exe
2040	explorer.exe
688	explorer.exe
688	explorer.exe
2108	spoolsv.exe
2108	spoolsv.exe
688	explorer.exe
688	explorer.exe
1728	spoolsv.exe
1728	spoolsv.exe
2632	spoolsv.exe
2632	spoolsv.exe
1012	spoolsv.exe
1012	spoolsv.exe
1876	spoolsv.exe
1876	spoolsv.exe
2760	spoolsv.exe
2760	spoolsv.exe
584	spoolsv.exe
584	spoolsv.exe
2180	spoolsv.exe
2180	spoolsv.exe
2300	spoolsv.exe
2300	spoolsv.exe
1120	spoolsv.exe
1120	spoolsv.exe
1796	spoolsv.exe
1796	spoolsv.exe
2064	spoolsv.exe
2064	spoolsv.exe
2956	spoolsv.exe
2956	spoolsv.exe
2200	spoolsv.exe
2200	spoolsv.exe
2496	spoolsv.exe
2496	spoolsv.exe
1808	spoolsv.exe
1808	spoolsv.exe
580	spoolsv.exe
580	spoolsv.exe
2724	explorer.exe
2724	explorer.exe
2080	spoolsv.exe
2080	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 1592 wrote to memory of 1740	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	cmd.exe
PID 1592 wrote to memory of 1740	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	cmd.exe
PID 1592 wrote to memory of 1740	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	cmd.exe
PID 1592 wrote to memory of 1740	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	cmd.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1592 wrote to memory of 1220	1592	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 1316	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 1220 wrote to memory of 276	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 1220 wrote to memory of 276	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 1220 wrote to memory of 276	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 1220 wrote to memory of 276	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 1220 wrote to memory of 276	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 1220 wrote to memory of 276	1220	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 1316 wrote to memory of 2040	1316	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	explorer.exe
PID 1316 wrote to memory of 2040	1316	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	explorer.exe
PID 1316 wrote to memory of 2040	1316	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	explorer.exe
PID 1316 wrote to memory of 2040	1316	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	explorer.exe
PID 2040 wrote to memory of 1652	2040	explorer.exe	cmd.exe
PID 2040 wrote to memory of 1652	2040	explorer.exe	cmd.exe
PID 2040 wrote to memory of 1652	2040	explorer.exe	cmd.exe
PID 2040 wrote to memory of 1652	2040	explorer.exe	cmd.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe
PID 2040 wrote to memory of 1528	2040	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1740

C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:1652

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1528

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:580

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2432

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1392

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.7MB

MD5
1c8fcfc8d779cb710f0f968d82b9342e

SHA1
b3bf6dd4094ea6127f6d8058aee3bd1d6b9d9872

SHA256
ef852e8e54efe51c2c490e4d04960d3eea67de8f03387e6a51c36cb47b8cd45a

SHA512
631b453a30cd9617e5635e48be4c877a678910f2636c359cc7c022ef2551cff750da1a20d584b1a3ca3d9a51b672b24d9244cf33356ec8d3c6790581acfa70a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.7MB

MD5
7024c2be05187b4bd90f050cb3adbbbc

SHA1
df66ee2a2c4938745fa4e63caee33e40212964f0

SHA256
65ce95d00e66446537c8d23dc936bc98aa6dea1a0ebeb10bdf364f3a152fc7c1

SHA512
17e58c36c7a5806437116f43d7beee025ead54e80a7ab82104dedc59a8e129694724ad855024a84b8b8a3047f863368cf40a4317681d189831a6863149ea7770

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.7MB

MD5
f3f70819d54ed93baa56e4f625d2acb5

SHA1
9b4487ff6bf81bf24bc8c5744b479f8adb52e402

SHA256
380096fc523cf316abf6aab3a2764f8a3e4e251c68a5e4218ae8e8a3e988e4da

SHA512
77d1dad8c3dd53797af2d5b3cd0879ec7cb8fd805c5ec30813b7578a480ce1ed0b8e9ed42d60ce9aaa38d5d6bd775ae74d5fefe615e1178968feb9a6893f897b

Download Submit
memory/276-87-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/300-529-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/584-535-0x00000000003A0000-0x00000000003E5000-memory.dmp

Filesize
276KB

Download
memory/584-533-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/688-475-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-197-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-474-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-589-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-473-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-437-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-426-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-367-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-364-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-938-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-309-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-308-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-263-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-491-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-606-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-588-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/688-939-0x0000000002D40000-0x0000000002D85000-memory.dmp

Filesize
276KB

Download
memory/1012-365-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1220-32-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-55-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1220-72-0x00000000089B0000-0x00000000089F5000-memory.dmp

Filesize
276KB

Download
memory/1220-2-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1220-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-89-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1220-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-48-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1220-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-38-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1220-45-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1220-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1220-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-49-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-51-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1220-39-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1220-50-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1220-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-52-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1316-98-0x0000000002980000-0x00000000029C5000-memory.dmp

Filesize
276KB

Download
memory/1316-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-99-0x0000000002980000-0x00000000029C5000-memory.dmp

Filesize
276KB

Download
memory/1316-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1320-578-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1528-153-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1528-184-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1592-43-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1592-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1664-1109-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1664-300-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1728-280-0x00000000003A0000-0x00000000003E5000-memory.dmp

Filesize
276KB

Download
memory/1728-264-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1772-465-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1780-440-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1876-441-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2040-101-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2040-146-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2108-246-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2164-241-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2164-1053-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2180-590-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2180-614-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/2568-362-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2632-311-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2760-477-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download