warzonerat | 515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
Size

2.9MB
MD5

7c2cc0158f54a6d6e4b7dbbae178ddb0
SHA1

c4f3c30cf41e2665eddcf0532cf36d2401be476b
SHA256

515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf
SHA512

c4d7b491d2e0e89fe4162060c72f9683b330f6986d0aed19418df6206b4fe39566a1be8c0b71a69dd3085f63f4ef4021ce33ed6048629ebd4caa6b1c2efbbfb1
SSDEEP

24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHb:ATU7AAmw4gxeOw46fUbNecCCFbNecO

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects executables packed with ASPack 53 IoCs

resource	yara_rule
behavioral1/memory/1740-25-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-27-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-49-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-45-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-52-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-48-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-46-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-44-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-42-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-40-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-38-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-32-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-30-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-12-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-51-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-47-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-43-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-5-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-35-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-23-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-21-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-19-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-17-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-15-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-13-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-9-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-7-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1740-82-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1316-149-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1316-185-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1820-269-0x0000000002D40000-0x0000000002D86000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2196-263-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/948-242-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2656-327-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2644-379-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/344-428-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1928-487-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2476-539-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2424-593-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2832-651-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1540-702-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/544-750-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/948-1759-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2196-1890-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2656-1936-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2644-1984-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/344-2098-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1928-2123-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2476-2299-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2424-2306-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2832-2377-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1540-2470-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/544-2630-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack

UPX dump on OEP (original entry point) 19 IoCs

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2204-41-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/files/0x0008000000015fbb-88.dat	UPX
behavioral1/memory/1984-100-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/files/0x0008000000015d28-171.dat	UPX
behavioral1/files/0x000a000000015d99-188.dat	UPX
behavioral1/memory/1768-198-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2012-271-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/1888-254-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2012-317-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2696-328-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2748-380-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/268-433-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2384-489-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/3008-540-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/3008-551-0x0000000000450000-0x0000000000496000-memory.dmp	UPX
behavioral1/memory/2680-598-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/2360-652-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral1/memory/1968-703-0x0000000000400000-0x0000000000446000-memory.dmp	UPX

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000015fbb-88.dat	warzonerat
behavioral1/files/0x0008000000015d28-171.dat	warzonerat
behavioral1/files/0x000a000000015d99-188.dat	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1984	explorer.exe
1316	explorer.exe
1820	explorer.exe
1768	spoolsv.exe
948	spoolsv.exe
1888	spoolsv.exe
2196	spoolsv.exe
2012	spoolsv.exe
2656	spoolsv.exe
2696	spoolsv.exe
2644	spoolsv.exe
2748	spoolsv.exe
344	spoolsv.exe
268	spoolsv.exe
1928	spoolsv.exe
2384	spoolsv.exe
2476	spoolsv.exe
3008	spoolsv.exe
2424	spoolsv.exe
2680	spoolsv.exe
2832	spoolsv.exe
2360	spoolsv.exe
1540	spoolsv.exe
1968	spoolsv.exe
544	spoolsv.exe
1696	spoolsv.exe
2972	spoolsv.exe
1464	spoolsv.exe
1100	spoolsv.exe
1792	spoolsv.exe
2480	spoolsv.exe
1888	spoolsv.exe
2432	spoolsv.exe
2420	spoolsv.exe
2208	spoolsv.exe
872	spoolsv.exe
2828	spoolsv.exe
2928	spoolsv.exe
2264	spoolsv.exe
2448	spoolsv.exe
2640	spoolsv.exe
1152	spoolsv.exe
1744	spoolsv.exe
1672	spoolsv.exe
1796	spoolsv.exe
1544	spoolsv.exe
1576	spoolsv.exe
2016	spoolsv.exe
2760	spoolsv.exe
2900	spoolsv.exe
3052	spoolsv.exe
1968	spoolsv.exe
2500	spoolsv.exe
752	spoolsv.exe
1932	spoolsv.exe
1824	spoolsv.exe
2216	spoolsv.exe
1700	spoolsv.exe
1988	spoolsv.exe
2080	spoolsv.exe
2780	spoolsv.exe
2560	spoolsv.exe
1636	spoolsv.exe
872	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
2260	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
2260	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
1820	explorer.exe
1820	explorer.exe
1768	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
1888	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2012	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2696	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2748	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
268	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2384	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
3008	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2680	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2360	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
1968	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
1696	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
1464	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
1792	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
1888	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2420	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
872	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2928	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2448	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
1152	spoolsv.exe
1820	explorer.exe
1820	explorer.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2204-41-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x0008000000015fbb-88.dat	upx
behavioral1/memory/1984-100-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x0008000000015d28-171.dat	upx
behavioral1/files/0x000a000000015d99-188.dat	upx
behavioral1/memory/1768-198-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2012-271-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1888-254-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2012-317-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2696-328-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2748-380-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/268-433-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2384-489-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/3008-540-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2680-598-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2360-652-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1968-703-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2204 set thread context of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 1740 set thread context of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 set thread context of 2924	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	32
PID 1984 set thread context of 1316	1984	explorer.exe	38
PID 1316 set thread context of 1820	1316	explorer.exe	39
PID 1316 set thread context of 2104	1316	explorer.exe	40
PID 1768 set thread context of 948	1768	spoolsv.exe	44
PID 2012 set thread context of 2656	2012	spoolsv.exe	52
PID 2696 set thread context of 2644	2696	spoolsv.exe	56
PID 2748 set thread context of 344	2748	spoolsv.exe	59
PID 268 set thread context of 1928	268	spoolsv.exe	63
PID 2384 set thread context of 2476	2384	spoolsv.exe	66
PID 3008 set thread context of 2424	3008	spoolsv.exe	70
PID 2680 set thread context of 2832	2680	spoolsv.exe	74
PID 2360 set thread context of 1540	2360	spoolsv.exe	77
PID 1968 set thread context of 544	1968	spoolsv.exe	81
PID 1696 set thread context of 2972	1696	spoolsv.exe	85
PID 1464 set thread context of 1100	1464	spoolsv.exe	89
PID 1792 set thread context of 2480	1792	spoolsv.exe	93
PID 2420 set thread context of 2208	2420	spoolsv.exe	101
PID 872 set thread context of 2828	872	spoolsv.exe	105
PID 2928 set thread context of 2264	2928	spoolsv.exe	109
PID 2448 set thread context of 2640	2448	spoolsv.exe	113
PID 1152 set thread context of 1744	1152	spoolsv.exe	117
PID 1672 set thread context of 1796	1672	spoolsv.exe	121
PID 1544 set thread context of 1576	1544	spoolsv.exe	125
PID 2016 set thread context of 2760	2016	spoolsv.exe	129
PID 2900 set thread context of 3052	2900	spoolsv.exe	133
PID 1968 set thread context of 2500	1968	spoolsv.exe	137
PID 752 set thread context of 1932	752	spoolsv.exe	141
PID 1824 set thread context of 2216	1824	spoolsv.exe	145
PID 1700 set thread context of 1988	1700	spoolsv.exe	149
PID 2080 set thread context of 2780	2080	spoolsv.exe	153
PID 2560 set thread context of 1636	2560	spoolsv.exe	157
PID 872 set thread context of 2900	872	spoolsv.exe	161
PID 2508 set thread context of 2092	2508	spoolsv.exe	165
PID 1872 set thread context of 2180	1872	spoolsv.exe	169
PID 948 set thread context of 1824	948	spoolsv.exe	170
PID 948 set thread context of 2944	948	spoolsv.exe	171
PID 2300 set thread context of 3008	2300	spoolsv.exe	178
PID 1752 set thread context of 2768	1752	explorer.exe	179
PID 2196 set thread context of 2612	2196	spoolsv.exe	180
PID 2196 set thread context of 3048	2196	spoolsv.exe	183
PID 2656 set thread context of 3060	2656	spoolsv.exe	185
PID 2656 set thread context of 2928	2656	spoolsv.exe	186
PID 2648 set thread context of 2852	2648	spoolsv.exe	184
PID 2644 set thread context of 2040	2644	spoolsv.exe	189
PID 2644 set thread context of 696	2644	spoolsv.exe	190
PID 2452 set thread context of 1684	2452	spoolsv.exe	194
PID 2720 set thread context of 2600	2720	explorer.exe	196
PID 344 set thread context of 1688	344	spoolsv.exe	197
PID 344 set thread context of 1648	344	spoolsv.exe	198
PID 1928 set thread context of 2592	1928	spoolsv.exe	202
PID 1928 set thread context of 2684	1928	spoolsv.exe	203
PID 1328 set thread context of 1572	1328	spoolsv.exe	207
PID 2892 set thread context of 1504	2892	explorer.exe	208
PID 2476 set thread context of 2616	2476	spoolsv.exe	212
PID 2808 set thread context of 2984	2808	spoolsv.exe	214
PID 2476 set thread context of 2064	2476	spoolsv.exe	213
PID 2424 set thread context of 2044	2424	spoolsv.exe	217
PID 2424 set thread context of 2160	2424	spoolsv.exe	218
PID 2864 set thread context of 1956	2864	spoolsv.exe	222
PID 2832 set thread context of 3028	2832	spoolsv.exe	224
PID 2832 set thread context of 2556	2832	spoolsv.exe	225

Drops file in Windows directory 49 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
2260	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
1984	explorer.exe
1768	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
2012	spoolsv.exe
1820	explorer.exe
2696	spoolsv.exe
1820	explorer.exe
2748	spoolsv.exe
1820	explorer.exe
268	spoolsv.exe
1820	explorer.exe
2384	spoolsv.exe
1820	explorer.exe
3008	spoolsv.exe
1820	explorer.exe
2680	spoolsv.exe
1820	explorer.exe
2360	spoolsv.exe
1820	explorer.exe
1968	spoolsv.exe
1820	explorer.exe
1696	spoolsv.exe
1820	explorer.exe
1464	spoolsv.exe
1820	explorer.exe
1792	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2420	spoolsv.exe
1820	explorer.exe
872	spoolsv.exe
1820	explorer.exe
2928	spoolsv.exe
1820	explorer.exe
2448	spoolsv.exe
1820	explorer.exe
1152	spoolsv.exe
1820	explorer.exe
1672	spoolsv.exe
1820	explorer.exe
1544	spoolsv.exe
1820	explorer.exe
2016	spoolsv.exe
1820	explorer.exe
2900	spoolsv.exe
1820	explorer.exe
1968	spoolsv.exe
1820	explorer.exe
752	spoolsv.exe
1820	explorer.exe
1824	spoolsv.exe
1820	explorer.exe
1700	spoolsv.exe
1820	explorer.exe
2080	spoolsv.exe
1820	explorer.exe
2560	spoolsv.exe
1820	explorer.exe
872	spoolsv.exe
1820	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
2260	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
2260	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
1984	explorer.exe
1984	explorer.exe
1820	explorer.exe
1820	explorer.exe
1768	spoolsv.exe
1768	spoolsv.exe
1820	explorer.exe
1820	explorer.exe
2012	spoolsv.exe
2012	spoolsv.exe
2696	spoolsv.exe
2696	spoolsv.exe
2748	spoolsv.exe
2748	spoolsv.exe
268	spoolsv.exe
268	spoolsv.exe
2384	spoolsv.exe
2384	spoolsv.exe
3008	spoolsv.exe
3008	spoolsv.exe
2680	spoolsv.exe
2680	spoolsv.exe
2360	spoolsv.exe
2360	spoolsv.exe
1968	spoolsv.exe
1968	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
1464	spoolsv.exe
1464	spoolsv.exe
1792	spoolsv.exe
1792	spoolsv.exe
2420	spoolsv.exe
2420	spoolsv.exe
872	spoolsv.exe
872	spoolsv.exe
2928	spoolsv.exe
2928	spoolsv.exe
2448	spoolsv.exe
2448	spoolsv.exe
1152	spoolsv.exe
1152	spoolsv.exe
1672	spoolsv.exe
1672	spoolsv.exe
1544	spoolsv.exe
1544	spoolsv.exe
2016	spoolsv.exe
2016	spoolsv.exe
2900	spoolsv.exe
2900	spoolsv.exe
1968	spoolsv.exe
1968	spoolsv.exe
752	spoolsv.exe
752	spoolsv.exe
1824	spoolsv.exe
1824	spoolsv.exe
1700	spoolsv.exe
1700	spoolsv.exe
2080	spoolsv.exe
2080	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2420	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	28
PID 2204 wrote to memory of 2420	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	28
PID 2204 wrote to memory of 2420	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	28
PID 2204 wrote to memory of 2420	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	28
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 2204 wrote to memory of 1740	2204	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	30
PID 1740 wrote to memory of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 wrote to memory of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 wrote to memory of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 wrote to memory of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 wrote to memory of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 wrote to memory of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 wrote to memory of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 wrote to memory of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 wrote to memory of 2260	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	31
PID 1740 wrote to memory of 2924	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	32
PID 1740 wrote to memory of 2924	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	32
PID 1740 wrote to memory of 2924	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	32
PID 1740 wrote to memory of 2924	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	32
PID 1740 wrote to memory of 2924	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	32
PID 1740 wrote to memory of 2924	1740	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	32
PID 2260 wrote to memory of 1984	2260	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	33
PID 2260 wrote to memory of 1984	2260	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	33
PID 2260 wrote to memory of 1984	2260	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	33
PID 2260 wrote to memory of 1984	2260	515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe	33
PID 1984 wrote to memory of 912	1984	explorer.exe	34
PID 1984 wrote to memory of 912	1984	explorer.exe	34
PID 1984 wrote to memory of 912	1984	explorer.exe	34
PID 1984 wrote to memory of 912	1984	explorer.exe	34
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38
PID 1984 wrote to memory of 1316	1984	explorer.exe	38

C:\Users\Admin\AppData\Local\Temp\515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
"C:\Users\Admin\AppData\Local\Temp\515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
  C:\Users\Admin\AppData\Local\Temp\515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
    C:\Users\Admin\AppData\Local\Temp\515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:912
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1316
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1812
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:1824
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:1620
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1736
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2196
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:3048
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2812
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2656
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2536
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2644
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2040
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:1624
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:696
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1800
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1648
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2592
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:304
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1000
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1812
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2424
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2044
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Drops file in Windows directory
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:960
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2160
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2236
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2816
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Drops file in Windows directory
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:1960
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1596
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1792
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2176
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1508
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1680
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1100
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2628
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2432
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2208
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2828
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:444
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1992
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2760
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3060
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3052
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2144
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2712
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1808
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2216
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2044
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2392
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2092
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2180
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1648
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2448
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2148
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2400
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1584
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1052
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2916
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2104
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
7c2cc0158f54a6d6e4b7dbbae178ddb0

SHA1
c4f3c30cf41e2665eddcf0532cf36d2401be476b

SHA256
515e2c242147664522d5121fb23fd11059b9de968cdc0c0ad23d45832f46cfbf

SHA512
c4d7b491d2e0e89fe4162060c72f9683b330f6986d0aed19418df6206b4fe39566a1be8c0b71a69dd3085f63f4ef4021ce33ed6048629ebd4caa6b1c2efbbfb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
a589876b851248c6b42703c9505e7aa6

SHA1
c6a3209d77c5d07bfe4920fdfa0dfa04e36413a2

SHA256
b75948460b78936a9a05b9a106de9da08bc41802104bd0f8ceb9e6d967fc2fcd

SHA512
3a4a678f2b0162f8fd1e8049c7cfb3f6b3860239ed0d4ee21dbaa3553f50b2a4784cbd26916a630d99dc10b686e64f60949c5aeab84f6d94a43671385343baf2

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
57261e2acd260a7ebf9360cfe9798883

SHA1
0aa93ba960247b3f05e03ef94ed46a42c37d6ed9

SHA256
f9fac398a0db8fa4ddb9f0f8cd12ad3deac9fc16a3303cc116e5f362eb2e26b1

SHA512
0092fb68844c543b2fcf8e6388b8d61c54e94fdb0bc199a2ab2a2515b189746c53821bdcc4858c267f25f45ddad149b1f34b49b3083daf34b96fd2253a344a51

Download Submit
memory/268-433-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/268-442-0x00000000005E0000-0x0000000000626000-memory.dmp

Filesize
280KB

Download
memory/344-428-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/344-2098-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/544-2630-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/544-750-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/948-242-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/948-1759-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1316-149-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1316-185-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1540-2470-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1540-702-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1740-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-43-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1740-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1740-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1740-72-0x00000000089A0000-0x00000000089E6000-memory.dmp

Filesize
280KB

Download
memory/1740-50-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1740-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-32-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-87-0x00000000089A0000-0x00000000089B2000-memory.dmp

Filesize
72KB

Download
memory/1740-2-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1740-82-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1740-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1740-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-48-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1740-52-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1740-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-49-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1768-198-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1820-190-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-597-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-197-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-438-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-269-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-268-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-1134-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-427-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-253-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-650-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-432-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-2671-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-326-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-592-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-304-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-437-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1820-330-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1888-254-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1928-487-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1928-2123-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1968-703-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1984-100-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2012-317-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2012-305-0x00000000005C0000-0x0000000000606000-memory.dmp

Filesize
280KB

Download
memory/2012-271-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2196-1890-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2196-263-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2204-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2204-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2260-99-0x0000000002C30000-0x0000000002C76000-memory.dmp

Filesize
280KB

Download
memory/2260-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-98-0x0000000002C30000-0x0000000002C76000-memory.dmp

Filesize
280KB

Download
memory/2260-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-669-0x0000000000520000-0x0000000000566000-memory.dmp

Filesize
280KB

Download
memory/2360-652-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2384-489-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2424-593-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2424-2306-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2476-539-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2476-2299-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2644-379-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2644-1984-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2656-327-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2656-1936-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2680-598-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2680-601-0x0000000001CA0000-0x0000000001CE6000-memory.dmp

Filesize
280KB

Download
memory/2696-328-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2748-380-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2832-2377-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2832-651-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2924-90-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3008-540-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3008-551-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download