warzonerat | 58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
Size

2.9MB
MD5

6431f37946abfa89e940fa27fe6c3718
SHA1

2eba6e19326c672869e4e4b00f0086668e3bea12
SHA256

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1
SHA512

6338e1894662d1414f849d5096b317e890abeedfd59a2bd20de4204dc23d1b1bbd4595abf175cdaae846bd502e0f49943a7285eb2ccf61465370b88b3a3cbbc7
SSDEEP

49152:7v97AXmw4gxeOw46fUbNecCCFbNecZKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKe:7v97K9xZw46G8q8Q

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects executables packed with ASPack 40 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2060-31-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-41-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-27-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-4-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-11-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-39-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-37-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-34-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-25-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-18-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-6-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-17-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-43-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-40-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-28-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-23-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-20-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-46-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-42-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-47-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-15-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-48-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-12-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-9-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-45-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-49-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2060-80-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2312-145-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2312-174-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2724-242-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2144-306-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2684-335-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1948-393-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1368-468-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1472-545-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1592-595-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2548-738-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2612-732-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2724-993-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2144-1087-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 4 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 30 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2296	explorer.exe
2312	explorer.exe
2732	explorer.exe
2964	spoolsv.exe
2724	spoolsv.exe
2184	spoolsv.exe
2144	spoolsv.exe
2536	spoolsv.exe
2684	spoolsv.exe
2908	spoolsv.exe
1948	spoolsv.exe
1668	spoolsv.exe
1368	spoolsv.exe
2896	spoolsv.exe
860	spoolsv.exe
940	spoolsv.exe
1472	spoolsv.exe
2916	spoolsv.exe
1592	spoolsv.exe
2656	spoolsv.exe
2612	spoolsv.exe
2520	spoolsv.exe
2548	spoolsv.exe
924	spoolsv.exe
1508	spoolsv.exe
1500	spoolsv.exe
2688	spoolsv.exe
2720	spoolsv.exe
872	spoolsv.exe
2768	spoolsv.exe

Loads dropped DLL 43 IoCs

Processes:

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
472	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
472	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
2732	explorer.exe
2732	explorer.exe
2964	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2184	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2536	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2908	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
1668	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2896	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
940	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2916	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2656	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2520	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
924	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
1500	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2720	spoolsv.exe
2732	explorer.exe
2732	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 19 IoCs

Processes:

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1252 set thread context of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 set thread context of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 set thread context of 572	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 2296 set thread context of 2312	2296	explorer.exe	explorer.exe
PID 2312 set thread context of 2732	2312	explorer.exe	explorer.exe
PID 2312 set thread context of 1528	2312	explorer.exe	diskperf.exe
PID 2964 set thread context of 2724	2964	spoolsv.exe	spoolsv.exe
PID 2184 set thread context of 2144	2184	spoolsv.exe	spoolsv.exe
PID 2536 set thread context of 2684	2536	spoolsv.exe	spoolsv.exe
PID 2908 set thread context of 1948	2908	spoolsv.exe	spoolsv.exe
PID 1668 set thread context of 1368	1668	spoolsv.exe	spoolsv.exe
PID 2896 set thread context of 860	2896	spoolsv.exe	spoolsv.exe
PID 940 set thread context of 1472	940	spoolsv.exe	spoolsv.exe
PID 2916 set thread context of 1592	2916	spoolsv.exe	spoolsv.exe
PID 2656 set thread context of 2612	2656	spoolsv.exe	spoolsv.exe
PID 2520 set thread context of 2548	2520	spoolsv.exe	spoolsv.exe
PID 924 set thread context of 1508	924	spoolsv.exe	spoolsv.exe
PID 1500 set thread context of 2688	1500	spoolsv.exe	spoolsv.exe
PID 2720 set thread context of 872	2720	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 17 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
472	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
2296	explorer.exe
2964	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2184	spoolsv.exe
2732	explorer.exe
2536	spoolsv.exe
2732	explorer.exe
2908	spoolsv.exe
2732	explorer.exe
1668	spoolsv.exe
2732	explorer.exe
2896	spoolsv.exe
2732	explorer.exe
940	spoolsv.exe
2732	explorer.exe
2916	spoolsv.exe
2732	explorer.exe
2656	spoolsv.exe
2732	explorer.exe
2520	spoolsv.exe
2732	explorer.exe
924	spoolsv.exe
2732	explorer.exe
1500	spoolsv.exe
2732	explorer.exe
2720	spoolsv.exe
2732	explorer.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

pid	process
1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
472	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
472	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
2296	explorer.exe
2296	explorer.exe
2732	explorer.exe
2732	explorer.exe
2964	spoolsv.exe
2964	spoolsv.exe
2732	explorer.exe
2732	explorer.exe
2184	spoolsv.exe
2184	spoolsv.exe
2536	spoolsv.exe
2536	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
1668	spoolsv.exe
1668	spoolsv.exe
2896	spoolsv.exe
2896	spoolsv.exe
940	spoolsv.exe
940	spoolsv.exe
2916	spoolsv.exe
2916	spoolsv.exe
2656	spoolsv.exe
2656	spoolsv.exe
2520	spoolsv.exe
2520	spoolsv.exe
924	spoolsv.exe
924	spoolsv.exe
1500	spoolsv.exe
1500	spoolsv.exe
2720	spoolsv.exe
2720	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exe

description	pid	process	target process
PID 1252 wrote to memory of 2144	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	cmd.exe
PID 1252 wrote to memory of 2144	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	cmd.exe
PID 1252 wrote to memory of 2144	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	cmd.exe
PID 1252 wrote to memory of 2144	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	cmd.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 1252 wrote to memory of 2060	1252	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 472	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2060 wrote to memory of 572	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 2060 wrote to memory of 572	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 2060 wrote to memory of 572	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 2060 wrote to memory of 572	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 2060 wrote to memory of 572	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 2060 wrote to memory of 572	2060	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 472 wrote to memory of 2296	472	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	explorer.exe
PID 472 wrote to memory of 2296	472	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	explorer.exe
PID 472 wrote to memory of 2296	472	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	explorer.exe
PID 472 wrote to memory of 2296	472	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	explorer.exe
PID 2296 wrote to memory of 1928	2296	explorer.exe	cmd.exe
PID 2296 wrote to memory of 1928	2296	explorer.exe	cmd.exe
PID 2296 wrote to memory of 1928	2296	explorer.exe	cmd.exe
PID 2296 wrote to memory of 1928	2296	explorer.exe	cmd.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe
PID 2296 wrote to memory of 2312	2296	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
"C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2144

C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:1928

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2312

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2792

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1668

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1052

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:3048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
6431f37946abfa89e940fa27fe6c3718

SHA1
2eba6e19326c672869e4e4b00f0086668e3bea12

SHA256
58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1

SHA512
6338e1894662d1414f849d5096b317e890abeedfd59a2bd20de4204dc23d1b1bbd4595abf175cdaae846bd502e0f49943a7285eb2ccf61465370b88b3a3cbbc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
b149ebb54ee2ab06405e2745a812204e

SHA1
129ea1084ae27cb7ff3e57e0a9a8d980dd3a0507

SHA256
4afa263fc4aa35675fc18b204266f707b01b6dbd30476df2a8fa3f49b23707bb

SHA512
3c87cde787ab8a611987014cc69d94157ac81b117a9876bccdf1a49dc86145a36c877f770adf70c7f81e0901ec576fd7c1485d6f50c5321d5dd6bb429ab39c17

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
2e397e31cfda558a169d9540d8786023

SHA1
db2f5d872205b8e2380052ad92ce0a436724d796

SHA256
f0c1906febbade06953b45d7e5c84a071e1b0fe08aeed1cf7a6cc44557041460

SHA512
9ac6ca13260b2bdc870eb0cbb7206ce8639840a2b723d3b2e9801b36a2d79cc546b12cdf4506fbcba2803e79c297bac8bc8d6b980dc722812580bdf586bdd21f

Download Submit
memory/472-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/572-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/572-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/572-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/572-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1368-468-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1472-545-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1592-595-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1948-393-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2060-43-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2060-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-48-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2060-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2060-51-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2060-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2060-44-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2060-80-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2060-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2060-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2060-34-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2060-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2060-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2060-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2144-306-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2144-1087-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2312-174-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2312-145-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2548-738-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2612-732-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2684-335-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2724-242-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2724-993-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download