warzonerat | 4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
Size

2.9MB
MD5

5118d9538a9e4882310f62351f9d0b15
SHA1

858bab699a830240b946d2b67d4c29c01df7c9ae
SHA256

4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa
SHA512

4307210ce9080292893c862f1520236cd0b44fea55beee7305b9a17fa3498ed39af80f41591d4bc59e0f97a570f2deec18a9d55f6fdcdffac6d49d00397db74e
SSDEEP

24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHG:ATU7AAmw4gxeOw46fUbNecCCFbNecb

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects executables packed with ASPack 37 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2308-5-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-9-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-47-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-50-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-46-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-44-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-41-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-36-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-32-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-30-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-28-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-26-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-24-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-22-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-20-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-18-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-16-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-7-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-45-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-43-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-39-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-13-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-11-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-48-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2308-84-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1660-150-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1660-178-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1592-299-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/920-250-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2448-350-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/772-402-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2116-453-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/920-1887-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1592-1999-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2448-2031-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/772-2166-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2116-2234-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack

UPX dump on OEP (original entry point) 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1984-0-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/1984-42-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
C:\Windows\system\explorer.exe	UPX
behavioral1/memory/2260-141-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	UPX
\Windows\system\spoolsv.exe	UPX
behavioral1/memory/1320-239-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2332-251-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2692-355-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2908-342-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/1304-452-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/1836-456-0x0000000003150000-0x0000000003196000-memory.dmp	UPX
behavioral1/memory/384-460-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/1836-457-0x0000000003150000-0x0000000003196000-memory.dmp	UPX

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 20 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2260	explorer.exe
1660	explorer.exe
1836	explorer.exe
1320	spoolsv.exe
920	spoolsv.exe
2332	spoolsv.exe
1592	spoolsv.exe
2908	spoolsv.exe
2448	spoolsv.exe
2692	spoolsv.exe
772	spoolsv.exe
1304	spoolsv.exe
2116	spoolsv.exe
384	spoolsv.exe
992	spoolsv.exe
2400	spoolsv.exe
1404	spoolsv.exe
1800	spoolsv.exe
2196	spoolsv.exe
2756	spoolsv.exe
2460	spoolsv.exe
2868	spoolsv.exe
1292	spoolsv.exe
1348	spoolsv.exe
2280	spoolsv.exe
2736	spoolsv.exe
1704	spoolsv.exe
1260	spoolsv.exe
1684	spoolsv.exe
2896	spoolsv.exe
320	spoolsv.exe
1640	spoolsv.exe
2588	spoolsv.exe
2796	spoolsv.exe
2592	spoolsv.exe
2772	spoolsv.exe
2912	spoolsv.exe
2768	spoolsv.exe
1536	spoolsv.exe
884	spoolsv.exe
1736	spoolsv.exe
1788	spoolsv.exe
1376	spoolsv.exe
1732	spoolsv.exe
2072	spoolsv.exe
868	spoolsv.exe
2276	spoolsv.exe
2744	spoolsv.exe
2644	spoolsv.exe
2700	spoolsv.exe
1816	spoolsv.exe
2000	spoolsv.exe
2688	spoolsv.exe
1492	spoolsv.exe
996	spoolsv.exe
2400	spoolsv.exe
700	spoolsv.exe
2604	spoolsv.exe
2612	spoolsv.exe
2716	spoolsv.exe
2176	spoolsv.exe
2152	spoolsv.exe
2468	spoolsv.exe
2232	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1728	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
1728	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
1836	explorer.exe
1836	explorer.exe
1320	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2332	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2908	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2692	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
1304	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
384	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2400	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
1800	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2756	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2868	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
1348	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2736	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
1260	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2896	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
1640	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2796	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2772	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2768	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
884	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
1788	spoolsv.exe
1836	explorer.exe
1836	explorer.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1984-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1984-42-0x0000000000400000-0x0000000000446000-memory.dmp	upx
C:\Windows\system\explorer.exe	upx
behavioral1/memory/2260-141-0x0000000000400000-0x0000000000446000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	upx
\Windows\system\spoolsv.exe	upx
behavioral1/memory/1320-239-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2332-251-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2692-355-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2908-342-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1304-452-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1836-456-0x0000000003150000-0x0000000003196000-memory.dmp	upx
behavioral1/memory/384-460-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1836-457-0x0000000003150000-0x0000000003196000-memory.dmp	upx

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exe4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1984 set thread context of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 set thread context of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 set thread context of 1200	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	diskperf.exe
PID 2260 set thread context of 1660	2260	explorer.exe	explorer.exe
PID 1660 set thread context of 1836	1660	explorer.exe	explorer.exe
PID 1660 set thread context of 2068	1660	explorer.exe	diskperf.exe
PID 1320 set thread context of 920	1320	spoolsv.exe	spoolsv.exe
PID 2332 set thread context of 1592	2332	spoolsv.exe	spoolsv.exe
PID 2908 set thread context of 2448	2908	spoolsv.exe	spoolsv.exe
PID 2692 set thread context of 772	2692	spoolsv.exe	spoolsv.exe
PID 1304 set thread context of 2116	1304	spoolsv.exe	spoolsv.exe
PID 384 set thread context of 992	384	spoolsv.exe	spoolsv.exe
PID 2400 set thread context of 1404	2400	spoolsv.exe	spoolsv.exe
PID 1800 set thread context of 2196	1800	spoolsv.exe	spoolsv.exe
PID 2756 set thread context of 2460	2756	spoolsv.exe	spoolsv.exe
PID 2868 set thread context of 1292	2868	spoolsv.exe	spoolsv.exe
PID 1348 set thread context of 2280	1348	spoolsv.exe	spoolsv.exe
PID 2736 set thread context of 1704	2736	spoolsv.exe	spoolsv.exe
PID 1260 set thread context of 1684	1260	spoolsv.exe	spoolsv.exe
PID 2896 set thread context of 320	2896	spoolsv.exe	spoolsv.exe
PID 1640 set thread context of 2588	1640	spoolsv.exe	spoolsv.exe
PID 2796 set thread context of 2592	2796	spoolsv.exe	spoolsv.exe
PID 2772 set thread context of 2912	2772	spoolsv.exe	spoolsv.exe
PID 2768 set thread context of 1536	2768	spoolsv.exe	spoolsv.exe
PID 884 set thread context of 1736	884	spoolsv.exe	spoolsv.exe
PID 1788 set thread context of 1376	1788	spoolsv.exe	spoolsv.exe
PID 1732 set thread context of 2072	1732	spoolsv.exe	spoolsv.exe
PID 868 set thread context of 2276	868	spoolsv.exe	spoolsv.exe
PID 2744 set thread context of 2644	2744	spoolsv.exe	spoolsv.exe
PID 2700 set thread context of 1816	2700	spoolsv.exe	spoolsv.exe
PID 2000 set thread context of 2688	2000	spoolsv.exe	spoolsv.exe
PID 1492 set thread context of 996	1492	spoolsv.exe	spoolsv.exe
PID 2400 set thread context of 700	2400	spoolsv.exe	spoolsv.exe
PID 2604 set thread context of 2612	2604	spoolsv.exe	spoolsv.exe
PID 2716 set thread context of 2176	2716	spoolsv.exe	spoolsv.exe
PID 2152 set thread context of 2468	2152	spoolsv.exe	spoolsv.exe
PID 2232 set thread context of 2100	2232	spoolsv.exe	spoolsv.exe
PID 2876 set thread context of 2192	2876	spoolsv.exe	spoolsv.exe
PID 1032 set thread context of 3008	1032	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 3012	952	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 1976	1616	spoolsv.exe	spoolsv.exe
PID 920 set thread context of 2168	920	spoolsv.exe	spoolsv.exe
PID 920 set thread context of 2648	920	spoolsv.exe	diskperf.exe
PID 2716 set thread context of 1820	2716	spoolsv.exe	spoolsv.exe
PID 1592 set thread context of 1128	1592	spoolsv.exe	spoolsv.exe
PID 2424 set thread context of 1948	2424	explorer.exe	explorer.exe
PID 1592 set thread context of 2232	1592	spoolsv.exe	diskperf.exe
PID 2448 set thread context of 3028	2448	spoolsv.exe	spoolsv.exe
PID 2448 set thread context of 3056	2448	spoolsv.exe	diskperf.exe
PID 2768 set thread context of 816	2768	spoolsv.exe	spoolsv.exe
PID 772 set thread context of 2148	772	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 2880	1692	explorer.exe	explorer.exe
PID 772 set thread context of 888	772	spoolsv.exe	diskperf.exe
PID 2116 set thread context of 2552	2116	spoolsv.exe	spoolsv.exe
PID 2844 set thread context of 1304	2844	spoolsv.exe	spoolsv.exe
PID 2116 set thread context of 1680	2116	spoolsv.exe	diskperf.exe
PID 1548 set thread context of 1028	1548	spoolsv.exe	spoolsv.exe
PID 992 set thread context of 2452	992	spoolsv.exe	spoolsv.exe
PID 1988 set thread context of 2888	1988	spoolsv.exe	spoolsv.exe
PID 992 set thread context of 1468	992	spoolsv.exe	diskperf.exe
PID 1488 set thread context of 2544	1488	explorer.exe	explorer.exe
PID 1404 set thread context of 2628	1404	spoolsv.exe	spoolsv.exe
PID 1712 set thread context of 2780	1712	spoolsv.exe	spoolsv.exe
PID 1404 set thread context of 2240	1404	spoolsv.exe	diskperf.exe

Drops file in Windows directory 53 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
1728	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
2260	explorer.exe
1320	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2332	spoolsv.exe
1836	explorer.exe
2908	spoolsv.exe
1836	explorer.exe
2692	spoolsv.exe
1836	explorer.exe
1304	spoolsv.exe
1836	explorer.exe
384	spoolsv.exe
1836	explorer.exe
2400	spoolsv.exe
1836	explorer.exe
1800	spoolsv.exe
1836	explorer.exe
2756	spoolsv.exe
1836	explorer.exe
2868	spoolsv.exe
1836	explorer.exe
1348	spoolsv.exe
1836	explorer.exe
2736	spoolsv.exe
1836	explorer.exe
1260	spoolsv.exe
1836	explorer.exe
2896	spoolsv.exe
1836	explorer.exe
1640	spoolsv.exe
1836	explorer.exe
2796	spoolsv.exe
1836	explorer.exe
2772	spoolsv.exe
1836	explorer.exe
2768	spoolsv.exe
1836	explorer.exe
884	spoolsv.exe
1836	explorer.exe
1788	spoolsv.exe
1836	explorer.exe
1732	spoolsv.exe
1836	explorer.exe
868	spoolsv.exe
1836	explorer.exe
2744	spoolsv.exe
1836	explorer.exe
2700	spoolsv.exe
1836	explorer.exe
2000	spoolsv.exe
1836	explorer.exe
1492	spoolsv.exe
1836	explorer.exe
2400	spoolsv.exe
1836	explorer.exe
2604	spoolsv.exe
1836	explorer.exe
2716	spoolsv.exe
1836	explorer.exe
2152	spoolsv.exe
1836	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
1728	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
1728	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
2260	explorer.exe
2260	explorer.exe
1836	explorer.exe
1836	explorer.exe
1320	spoolsv.exe
1320	spoolsv.exe
1836	explorer.exe
1836	explorer.exe
2332	spoolsv.exe
2332	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2692	spoolsv.exe
2692	spoolsv.exe
1304	spoolsv.exe
1304	spoolsv.exe
384	spoolsv.exe
384	spoolsv.exe
2400	spoolsv.exe
2400	spoolsv.exe
1800	spoolsv.exe
1800	spoolsv.exe
2756	spoolsv.exe
2756	spoolsv.exe
2868	spoolsv.exe
2868	spoolsv.exe
1348	spoolsv.exe
1348	spoolsv.exe
2736	spoolsv.exe
2736	spoolsv.exe
1260	spoolsv.exe
1260	spoolsv.exe
2896	spoolsv.exe
2896	spoolsv.exe
1640	spoolsv.exe
1640	spoolsv.exe
2796	spoolsv.exe
2796	spoolsv.exe
2772	spoolsv.exe
2772	spoolsv.exe
2768	spoolsv.exe
2768	spoolsv.exe
884	spoolsv.exe
884	spoolsv.exe
1788	spoolsv.exe
1788	spoolsv.exe
1732	spoolsv.exe
1732	spoolsv.exe
868	spoolsv.exe
868	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2700	spoolsv.exe
2700	spoolsv.exe
2000	spoolsv.exe
2000	spoolsv.exe
1492	spoolsv.exe
1492	spoolsv.exe
2400	spoolsv.exe
2400	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exeexplorer.exe

description	pid	process	target process
PID 1984 wrote to memory of 1616	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	cmd.exe
PID 1984 wrote to memory of 1616	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	cmd.exe
PID 1984 wrote to memory of 1616	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	cmd.exe
PID 1984 wrote to memory of 1616	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	cmd.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 1984 wrote to memory of 2308	1984	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1728	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
PID 2308 wrote to memory of 1200	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	diskperf.exe
PID 2308 wrote to memory of 1200	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	diskperf.exe
PID 2308 wrote to memory of 1200	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	diskperf.exe
PID 2308 wrote to memory of 1200	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	diskperf.exe
PID 2308 wrote to memory of 1200	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	diskperf.exe
PID 2308 wrote to memory of 1200	2308	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	diskperf.exe
PID 1728 wrote to memory of 2260	1728	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	explorer.exe
PID 1728 wrote to memory of 2260	1728	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	explorer.exe
PID 1728 wrote to memory of 2260	1728	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	explorer.exe
PID 1728 wrote to memory of 2260	1728	4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe	explorer.exe
PID 2260 wrote to memory of 2244	2260	explorer.exe	cmd.exe
PID 2260 wrote to memory of 2244	2260	explorer.exe	cmd.exe
PID 2260 wrote to memory of 2244	2260	explorer.exe	cmd.exe
PID 2260 wrote to memory of 2244	2260	explorer.exe	cmd.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe
PID 2260 wrote to memory of 1660	2260	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
"C:\Users\Admin\AppData\Local\Temp\4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1616

C:\Users\Admin\AppData\Local\Temp\4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
C:\Users\Admin\AppData\Local\Temp\4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
C:\Users\Admin\AppData\Local\Temp\4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2244

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1660

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2168

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2728

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1128

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3028

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2088

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2148

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2452

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1460

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2628

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1640

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2380

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2288

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:384

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2876

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
5118d9538a9e4882310f62351f9d0b15

SHA1
858bab699a830240b946d2b67d4c29c01df7c9ae

SHA256
4a6593c47455a2892ee7ea99c7d6e896b83fa154edfcfa7f04928ab00fb769aa

SHA512
4307210ce9080292893c862f1520236cd0b44fea55beee7305b9a17fa3498ed39af80f41591d4bc59e0f97a570f2deec18a9d55f6fdcdffac6d49d00397db74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
b3ff6d84c0a9a379a97319502a1e97c0

SHA1
d32114bf3d4abe16ca5d6b12ec913c8c15246b4e

SHA256
f4ec5e78b69b55be122e91281715c046d3e952862159539a1fc4de0e5e540c5f

SHA512
06da54ebb91d44b3ecb94561e0da2b251b4912ad882a86ab1fa81528edf6ae6e39f9763eb46dba446e03a57566b4ef9828c24da362ec7d29cfb9ae7754d81256

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
59c45ec8f690598d55f882ece2bcef32

SHA1
3e4d08ab51e5038550493e807b5439f7a5e5ff5f

SHA256
17c2b7199dec0e8cc6566a1c86f08dba5e002046d8f10d17e2c4d6f9ec0a52ab

SHA512
6197ec22f14b494607397bf2298d9493af104939b73ebb638135e0f2c2b2bf6ce3f5859176e9f71c064883d08f8b84b09960c75c3bda10883acaa0c48ae788eb

Download Submit
memory/384-488-0x0000000000840000-0x0000000000886000-memory.dmp

Filesize
280KB

Download
memory/384-460-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/772-2166-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/772-402-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/920-1887-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/920-250-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1200-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1200-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1200-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1200-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1304-452-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1320-239-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1592-299-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1592-1999-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1660-178-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1660-150-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1728-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-95-0x0000000002710000-0x0000000002756000-memory.dmp

Filesize
280KB

Download
memory/1728-96-0x0000000002710000-0x0000000002756000-memory.dmp

Filesize
280KB

Download
memory/1728-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1836-248-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1836-354-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1836-192-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1836-1083-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1836-301-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1836-485-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1836-457-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1836-249-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1836-459-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1836-456-0x0000000003150000-0x0000000003196000-memory.dmp

Filesize
280KB

Download
memory/1984-42-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1984-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1984-14-0x00000000004D0000-0x0000000000516000-memory.dmp

Filesize
280KB

Download
memory/2116-453-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2116-2234-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2260-141-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2308-41-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2308-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-32-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2308-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-36-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-44-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2308-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-2-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2308-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-49-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2308-50-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2308-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-84-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2308-51-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2308-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-39-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2308-47-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2308-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2332-251-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2448-2031-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2448-350-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2692-355-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2908-342-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download