warzonerat | 75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
Size

2.9MB
MD5

e447c86150b702e0a52cea8479ac9d13
SHA1

a33949da6fd8707f6e52007887f70919e9185bf5
SHA256

75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b
SHA512

37f3aa9fe7c4f9bcca4540b726ebc87719bd4939fa36297cf86f455299921b04fdd208603e37db55d88afdd9e16de51635ab33af07232ab3ce894e495fcc4336
SSDEEP

24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHN:7v97AXmw4gxeOw46fUbNecCCFbNecy

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects executables packed with ASPack 59 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-15-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-13-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-46-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-41-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-49-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-47-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-45-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-43-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-42-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-40-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-38-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-36-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-31-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-29-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-27-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-25-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-23-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-19-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-18-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-11-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-9-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-44-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-7-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-5-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-21-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-50-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2168-83-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/764-145-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/764-177-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1596-288-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1616-241-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/3012-341-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/3008-388-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2804-438-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2328-492-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1532-539-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2232-594-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1248-650-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2188-701-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2052-795-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2164-885-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2700-982-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1016-1126-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2508-1222-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2652-1271-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2808-1322-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2096-1371-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2892-1422-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1616-1637-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1596-1752-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/3012-1821-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/3008-1845-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2804-2005-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2328-2031-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1532-2091-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2232-2189-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1248-2260-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2188-2374-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1528-2443-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 36 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

pid	process
1928	explorer.exe
764	explorer.exe
2364	explorer.exe
1820	spoolsv.exe
1616	spoolsv.exe
1744	spoolsv.exe
1596	spoolsv.exe
1824	spoolsv.exe
3012	spoolsv.exe
2536	spoolsv.exe
3008	spoolsv.exe
1776	spoolsv.exe
2804	spoolsv.exe
2312	spoolsv.exe
2328	spoolsv.exe
828	spoolsv.exe
1532	spoolsv.exe
1380	spoolsv.exe
2232	spoolsv.exe
2680	spoolsv.exe
1248	spoolsv.exe
2556	spoolsv.exe
2188	spoolsv.exe
948	spoolsv.exe
1528	spoolsv.exe
540	spoolsv.exe
2052	spoolsv.exe
1268	spoolsv.exe
292	spoolsv.exe
2600	spoolsv.exe
2164	spoolsv.exe
2264	spoolsv.exe
1944	spoolsv.exe
2652	spoolsv.exe
2700	spoolsv.exe
1964	spoolsv.exe
2204	spoolsv.exe
2296	spoolsv.exe
1904	spoolsv.exe
1796	spoolsv.exe
1016	spoolsv.exe
1696	spoolsv.exe
2184	spoolsv.exe
2068	spoolsv.exe
2508	spoolsv.exe
2064	spoolsv.exe
2652	spoolsv.exe
2408	spoolsv.exe
2808	spoolsv.exe
928	spoolsv.exe
2096	spoolsv.exe
1476	spoolsv.exe
2892	spoolsv.exe
768	spoolsv.exe
3044	spoolsv.exe
1972	spoolsv.exe
1396	spoolsv.exe
2884	spoolsv.exe
2356	spoolsv.exe
2556	spoolsv.exe
3040	spoolsv.exe
2552	spoolsv.exe
2816	spoolsv.exe
2104	explorer.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
2256	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
2256	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
2364	explorer.exe
2364	explorer.exe
1820	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1744	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1824	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
2536	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1776	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
2312	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
828	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1380	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
2680	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
2556	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
948	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
540	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1268	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
2600	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
2264	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
2652	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1964	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
2296	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1796	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1696	spoolsv.exe
2364	explorer.exe
2364	explorer.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2044 set thread context of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 set thread context of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 set thread context of 2968	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	diskperf.exe
PID 1928 set thread context of 764	1928	explorer.exe	explorer.exe
PID 764 set thread context of 2364	764	explorer.exe	explorer.exe
PID 764 set thread context of 1960	764	explorer.exe	diskperf.exe
PID 1820 set thread context of 1616	1820	spoolsv.exe	spoolsv.exe
PID 1744 set thread context of 1596	1744	spoolsv.exe	spoolsv.exe
PID 1824 set thread context of 3012	1824	spoolsv.exe	spoolsv.exe
PID 2536 set thread context of 3008	2536	spoolsv.exe	spoolsv.exe
PID 1776 set thread context of 2804	1776	spoolsv.exe	spoolsv.exe
PID 2312 set thread context of 2328	2312	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 1532	828	spoolsv.exe	spoolsv.exe
PID 1380 set thread context of 2232	1380	spoolsv.exe	spoolsv.exe
PID 2680 set thread context of 1248	2680	spoolsv.exe	spoolsv.exe
PID 2556 set thread context of 2188	2556	spoolsv.exe	spoolsv.exe
PID 948 set thread context of 1528	948	spoolsv.exe	spoolsv.exe
PID 540 set thread context of 2052	540	spoolsv.exe	spoolsv.exe
PID 1268 set thread context of 292	1268	spoolsv.exe	spoolsv.exe
PID 2600 set thread context of 2164	2600	spoolsv.exe	spoolsv.exe
PID 2264 set thread context of 1944	2264	spoolsv.exe	spoolsv.exe
PID 2652 set thread context of 2700	2652	spoolsv.exe	spoolsv.exe
PID 1964 set thread context of 2204	1964	spoolsv.exe	spoolsv.exe
PID 2296 set thread context of 1904	2296	spoolsv.exe	spoolsv.exe
PID 1796 set thread context of 1016	1796	spoolsv.exe	spoolsv.exe
PID 1696 set thread context of 2184	1696	spoolsv.exe	spoolsv.exe
PID 2068 set thread context of 2508	2068	spoolsv.exe	spoolsv.exe
PID 2064 set thread context of 2652	2064	spoolsv.exe	spoolsv.exe
PID 2408 set thread context of 2808	2408	spoolsv.exe	spoolsv.exe
PID 928 set thread context of 2096	928	spoolsv.exe	spoolsv.exe
PID 1476 set thread context of 2892	1476	spoolsv.exe	spoolsv.exe
PID 768 set thread context of 3044	768	spoolsv.exe	spoolsv.exe
PID 1972 set thread context of 1396	1972	spoolsv.exe	spoolsv.exe
PID 2884 set thread context of 2356	2884	spoolsv.exe	spoolsv.exe
PID 2556 set thread context of 3040	2556	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 2816	1616	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 1636	1616	spoolsv.exe	diskperf.exe
PID 2552 set thread context of 1264	2552	spoolsv.exe	spoolsv.exe
PID 2104 set thread context of 1144	2104	explorer.exe	explorer.exe
PID 1596 set thread context of 1676	1596	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 1728	1596	spoolsv.exe	diskperf.exe
PID 3012 set thread context of 1340	3012	spoolsv.exe	spoolsv.exe
PID 572 set thread context of 560	572	spoolsv.exe	spoolsv.exe
PID 3012 set thread context of 2636	3012	spoolsv.exe	diskperf.exe
PID 3008 set thread context of 324	3008	spoolsv.exe	spoolsv.exe
PID 3008 set thread context of 2044	3008	spoolsv.exe	diskperf.exe
PID 2616 set thread context of 1940	2616	spoolsv.exe	spoolsv.exe
PID 2804 set thread context of 2764	2804	spoolsv.exe	spoolsv.exe
PID 844 set thread context of 956	844	explorer.exe	explorer.exe
PID 1652 set thread context of 2852	1652	spoolsv.exe	spoolsv.exe
PID 2804 set thread context of 1052	2804	spoolsv.exe	diskperf.exe
PID 2328 set thread context of 2040	2328	spoolsv.exe	spoolsv.exe
PID 2328 set thread context of 880	2328	spoolsv.exe	diskperf.exe
PID 1532 set thread context of 2244	1532	spoolsv.exe	spoolsv.exe
PID 1532 set thread context of 1468	1532	spoolsv.exe	diskperf.exe
PID 1232 set thread context of 2684	1232	spoolsv.exe	spoolsv.exe
PID 2232 set thread context of 948	2232	spoolsv.exe	spoolsv.exe
PID 1068 set thread context of 1184	1068	explorer.exe	explorer.exe
PID 2232 set thread context of 2708	2232	spoolsv.exe	diskperf.exe
PID 1588 set thread context of 1956	1588	spoolsv.exe	spoolsv.exe
PID 1248 set thread context of 1828	1248	spoolsv.exe	spoolsv.exe
PID 1248 set thread context of 672	1248	spoolsv.exe	diskperf.exe
PID 1380 set thread context of 1796	1380	explorer.exe	explorer.exe
PID 1296 set thread context of 1972	1296	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 47 IoCs

Processes:

75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
2256	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
1928	explorer.exe
1820	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1744	spoolsv.exe
2364	explorer.exe
1824	spoolsv.exe
2364	explorer.exe
2536	spoolsv.exe
2364	explorer.exe
1776	spoolsv.exe
2364	explorer.exe
2312	spoolsv.exe
2364	explorer.exe
828	spoolsv.exe
2364	explorer.exe
1380	spoolsv.exe
2364	explorer.exe
2680	spoolsv.exe
2364	explorer.exe
2556	spoolsv.exe
2364	explorer.exe
948	spoolsv.exe
2364	explorer.exe
540	spoolsv.exe
2364	explorer.exe
1268	spoolsv.exe
2364	explorer.exe
2600	spoolsv.exe
2364	explorer.exe
2264	spoolsv.exe
2364	explorer.exe
2652	spoolsv.exe
2364	explorer.exe
1964	spoolsv.exe
2364	explorer.exe
2296	spoolsv.exe
2364	explorer.exe
1796	spoolsv.exe
2364	explorer.exe
1696	spoolsv.exe
2364	explorer.exe
2068	spoolsv.exe
2364	explorer.exe
2064	spoolsv.exe
2364	explorer.exe
2408	spoolsv.exe
2364	explorer.exe
928	spoolsv.exe
2364	explorer.exe
1476	spoolsv.exe
2364	explorer.exe
768	spoolsv.exe
2364	explorer.exe
1972	spoolsv.exe
2364	explorer.exe
2884	spoolsv.exe
2364	explorer.exe
2556	spoolsv.exe
2364	explorer.exe
2552	spoolsv.exe
2364	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
2256	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
2256	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
1928	explorer.exe
1928	explorer.exe
2364	explorer.exe
2364	explorer.exe
1820	spoolsv.exe
1820	spoolsv.exe
2364	explorer.exe
2364	explorer.exe
1744	spoolsv.exe
1744	spoolsv.exe
1824	spoolsv.exe
1824	spoolsv.exe
2536	spoolsv.exe
2536	spoolsv.exe
1776	spoolsv.exe
1776	spoolsv.exe
2312	spoolsv.exe
2312	spoolsv.exe
828	spoolsv.exe
828	spoolsv.exe
1380	spoolsv.exe
1380	spoolsv.exe
2680	spoolsv.exe
2680	spoolsv.exe
2556	spoolsv.exe
2556	spoolsv.exe
948	spoolsv.exe
948	spoolsv.exe
540	spoolsv.exe
540	spoolsv.exe
1268	spoolsv.exe
1268	spoolsv.exe
2600	spoolsv.exe
2600	spoolsv.exe
2264	spoolsv.exe
2264	spoolsv.exe
2652	spoolsv.exe
2652	spoolsv.exe
1964	spoolsv.exe
1964	spoolsv.exe
2296	spoolsv.exe
2296	spoolsv.exe
1796	spoolsv.exe
1796	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
2068	spoolsv.exe
2068	spoolsv.exe
2064	spoolsv.exe
2064	spoolsv.exe
2408	spoolsv.exe
2408	spoolsv.exe
928	spoolsv.exe
928	spoolsv.exe
1476	spoolsv.exe
1476	spoolsv.exe
768	spoolsv.exe
768	spoolsv.exe
1972	spoolsv.exe
1972	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exeexplorer.exe

description	pid	process	target process
PID 2044 wrote to memory of 1472	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	cmd.exe
PID 2044 wrote to memory of 1472	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	cmd.exe
PID 2044 wrote to memory of 1472	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	cmd.exe
PID 2044 wrote to memory of 1472	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	cmd.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2044 wrote to memory of 2168	2044	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2256	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
PID 2168 wrote to memory of 2968	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	diskperf.exe
PID 2168 wrote to memory of 2968	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	diskperf.exe
PID 2168 wrote to memory of 2968	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	diskperf.exe
PID 2168 wrote to memory of 2968	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	diskperf.exe
PID 2168 wrote to memory of 2968	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	diskperf.exe
PID 2168 wrote to memory of 2968	2168	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	diskperf.exe
PID 2256 wrote to memory of 1928	2256	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	explorer.exe
PID 2256 wrote to memory of 1928	2256	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	explorer.exe
PID 2256 wrote to memory of 1928	2256	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	explorer.exe
PID 2256 wrote to memory of 1928	2256	75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe	explorer.exe
PID 1928 wrote to memory of 2216	1928	explorer.exe	cmd.exe
PID 1928 wrote to memory of 2216	1928	explorer.exe	cmd.exe
PID 1928 wrote to memory of 2216	1928	explorer.exe	cmd.exe
PID 1928 wrote to memory of 2216	1928	explorer.exe	cmd.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe
PID 1928 wrote to memory of 764	1928	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
"C:\Users\Admin\AppData\Local\Temp\75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1472

C:\Users\Admin\AppData\Local\Temp\75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
C:\Users\Admin\AppData\Local\Temp\75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
C:\Users\Admin\AppData\Local\Temp\75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2216

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:764

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
PID:2816

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1612

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1676

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2192

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1340

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2040

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1492

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2244

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1828

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1668

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1796

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2376

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2640

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:820

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:2952

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2332

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2968

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
2.9MB

MD5
e447c86150b702e0a52cea8479ac9d13

SHA1
a33949da6fd8707f6e52007887f70919e9185bf5

SHA256
75ef6379f58dfecb74fe39a4e74687d5f88ad4ba97d81257b001e191c1e2082b

SHA512
37f3aa9fe7c4f9bcca4540b726ebc87719bd4939fa36297cf86f455299921b04fdd208603e37db55d88afdd9e16de51635ab33af07232ab3ce894e495fcc4336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe
Filesize
2.9MB

MD5
b9aea08b094c329d78482457f8a4dab6

SHA1
af68dfb6343a037b1bba1158b31ac67d00715830

SHA256
cc4cdab6471be79ddbc72e11def0b856155e542279240d5e498a841b8881087a

SHA512
fcead54daa48ebdc465ef7ec23f049501e952f95aac4997f1bc597046036cc09778bc756c348e8ff033ec114bc360da9128259b1ad2bba0bf6413b146b363104

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.9MB

MD5
770ef3dbab6576615a2769d629dc355c

SHA1
963aac7f72078da29349a056f54f28773d5eba63

SHA256
a6fd176264c3bb06006f08d948a4de199f9fb33834cfe99b4642d41fc9843625

SHA512
244654304164d294db3e2f686d87a346fb3f3f9bf1dfd037f157ec23c837608d242baa1474739892fb8ca50fce52b68a0eab446d29e94f57d5a20c049a156dc8

Download Submit
memory/764-177-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/764-145-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1016-1126-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1248-650-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1248-2260-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1528-2443-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1532-2091-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1532-539-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1596-288-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1596-1752-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1616-241-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1616-1637-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2052-795-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2096-1371-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2164-885-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2168-83-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2168-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2168-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2168-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2168-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-50-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2168-48-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2168-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2168-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2168-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2168-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-36-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2168-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2168-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2188-701-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2188-2374-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2232-594-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2232-2189-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2256-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-492-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2328-2031-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2508-1222-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2652-1271-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2700-982-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2804-2005-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2804-438-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2808-1322-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2892-1422-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2968-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2968-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3008-1845-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3008-388-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3012-1821-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/3012-341-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads