warzonerat | 3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
Size

2.9MB
MD5

5f872bf66a9e456c70f7ee4fa6b53e4c
SHA1

b1671863784faf70581dbfe7567341dc5bf8f304
SHA256

3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b
SHA512

3306d0938d1226d893b0e6db11b3a16ce183e71604c559b0c2dd42b60d062fac66cea810b32abcc8fd5b0ac2b85f832433baa732fa728b928da862aa5f16edc9
SSDEEP

24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHm:7v97AXmw4gxeOw46fUbNecCCFbNecF

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000015d5c-89.dat	warzonerat
behavioral1/files/0x0008000000015d2e-167.dat	warzonerat
behavioral1/files/0x0008000000015d64-190.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 21 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1800	explorer.exe
1784	explorer.exe
480	explorer.exe
300	spoolsv.exe
280	spoolsv.exe
2240	spoolsv.exe
1288	spoolsv.exe
2884	spoolsv.exe
1248	spoolsv.exe
2760	spoolsv.exe
2580	spoolsv.exe
1816	spoolsv.exe
2292	spoolsv.exe
1560	spoolsv.exe
1628	spoolsv.exe
2312	spoolsv.exe
1796	spoolsv.exe
912	spoolsv.exe
948	spoolsv.exe
1048	spoolsv.exe
2780	spoolsv.exe
2824	spoolsv.exe
2072	spoolsv.exe
2180	spoolsv.exe
1036	spoolsv.exe
2400	spoolsv.exe
2708	spoolsv.exe
3016	spoolsv.exe
936	spoolsv.exe
836	spoolsv.exe
572	spoolsv.exe
1564	spoolsv.exe
2944	spoolsv.exe
2692	spoolsv.exe
2148	spoolsv.exe
2364	spoolsv.exe
2396	spoolsv.exe
748	spoolsv.exe
3004	spoolsv.exe
1892	spoolsv.exe
908	spoolsv.exe
1900	spoolsv.exe
1304	spoolsv.exe
2676	spoolsv.exe
2324	spoolsv.exe
2996	spoolsv.exe
2608	spoolsv.exe
2904	spoolsv.exe
2760	spoolsv.exe
1792	spoolsv.exe
1352	spoolsv.exe
828	spoolsv.exe
1588	explorer.exe
680	spoolsv.exe
2452	spoolsv.exe
1764	explorer.exe
1228	spoolsv.exe
1896	explorer.exe
1928	spoolsv.exe
2000	spoolsv.exe
2456	explorer.exe
2244	spoolsv.exe
1260	spoolsv.exe
2228	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
2604	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
2604	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
480	explorer.exe
480	explorer.exe
300	spoolsv.exe
480	explorer.exe
480	explorer.exe
2240	spoolsv.exe
480	explorer.exe
480	explorer.exe
2884	spoolsv.exe
480	explorer.exe
480	explorer.exe
2760	spoolsv.exe
480	explorer.exe
480	explorer.exe
1816	spoolsv.exe
480	explorer.exe
480	explorer.exe
1560	spoolsv.exe
480	explorer.exe
480	explorer.exe
2312	spoolsv.exe
480	explorer.exe
480	explorer.exe
912	spoolsv.exe
480	explorer.exe
480	explorer.exe
1048	spoolsv.exe
480	explorer.exe
480	explorer.exe
2824	spoolsv.exe
480	explorer.exe
480	explorer.exe
2180	spoolsv.exe
480	explorer.exe
480	explorer.exe
2400	spoolsv.exe
480	explorer.exe
480	explorer.exe
3016	spoolsv.exe
480	explorer.exe
480	explorer.exe
836	spoolsv.exe
480	explorer.exe
480	explorer.exe
1564	spoolsv.exe
480	explorer.exe
480	explorer.exe
2692	spoolsv.exe
480	explorer.exe
480	explorer.exe
2364	spoolsv.exe
480	explorer.exe
480	explorer.exe
748	spoolsv.exe
480	explorer.exe
480	explorer.exe
1892	spoolsv.exe
480	explorer.exe
480	explorer.exe
1900	spoolsv.exe
480	explorer.exe
480	explorer.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 48 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 1324 set thread context of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 set thread context of 2536	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	34
PID 1800 set thread context of 1784	1800	explorer.exe	38
PID 1784 set thread context of 480	1784	explorer.exe	39
PID 1784 set thread context of 1620	1784	explorer.exe	40
PID 300 set thread context of 280	300	spoolsv.exe	44
PID 2884 set thread context of 1248	2884	spoolsv.exe	52
PID 2760 set thread context of 2580	2760	spoolsv.exe	56
PID 1816 set thread context of 2292	1816	spoolsv.exe	59
PID 1560 set thread context of 1628	1560	spoolsv.exe	63
PID 2312 set thread context of 1796	2312	spoolsv.exe	67
PID 912 set thread context of 948	912	spoolsv.exe	70
PID 1048 set thread context of 2780	1048	spoolsv.exe	74
PID 2824 set thread context of 2072	2824	spoolsv.exe	77
PID 2180 set thread context of 1036	2180	spoolsv.exe	81
PID 2400 set thread context of 2708	2400	spoolsv.exe	85
PID 3016 set thread context of 936	3016	spoolsv.exe	89
PID 836 set thread context of 572	836	spoolsv.exe	93
PID 1564 set thread context of 2944	1564	spoolsv.exe	97
PID 2692 set thread context of 2148	2692	spoolsv.exe	101
PID 2364 set thread context of 2396	2364	spoolsv.exe	105
PID 748 set thread context of 3004	748	spoolsv.exe	109
PID 1892 set thread context of 908	1892	spoolsv.exe	113
PID 1900 set thread context of 1304	1900	spoolsv.exe	116
PID 2676 set thread context of 2324	2676	spoolsv.exe	120
PID 2996 set thread context of 2608	2996	spoolsv.exe	124
PID 2904 set thread context of 2760	2904	spoolsv.exe	127
PID 1792 set thread context of 1352	1792	spoolsv.exe	131
PID 280 set thread context of 828	280	spoolsv.exe	132
PID 280 set thread context of 2836	280	spoolsv.exe	133
PID 1588 set thread context of 1764	1588	explorer.exe	140
PID 1288 set thread context of 2452	1288	spoolsv.exe	142
PID 1288 set thread context of 2724	1288	spoolsv.exe	143
PID 680 set thread context of 1928	680	spoolsv.exe	141
PID 1248 set thread context of 1228	1248	spoolsv.exe	144
PID 1248 set thread context of 2976	1248	spoolsv.exe	145
PID 2580 set thread context of 2000	2580	spoolsv.exe	150
PID 2580 set thread context of 2936	2580	spoolsv.exe	151
PID 1896 set thread context of 2456	1896	explorer.exe	149
PID 2292 set thread context of 1260	2292	spoolsv.exe	155
PID 2244 set thread context of 2228	2244	spoolsv.exe	154
PID 2292 set thread context of 1336	2292	spoolsv.exe	157
PID 1628 set thread context of 1948	1628	spoolsv.exe	163
PID 1628 set thread context of 2088	1628	spoolsv.exe	164
PID 1500 set thread context of 1940	1500	explorer.exe	165
PID 2344 set thread context of 1032	2344	spoolsv.exe	166
PID 1796 set thread context of 2576	1796	spoolsv.exe	168

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
2604	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
1800	explorer.exe
300	spoolsv.exe
480	explorer.exe
480	explorer.exe
480	explorer.exe
2884	spoolsv.exe
480	explorer.exe
2760	spoolsv.exe
480	explorer.exe
1816	spoolsv.exe
480	explorer.exe
1560	spoolsv.exe
480	explorer.exe
2312	spoolsv.exe
480	explorer.exe
912	spoolsv.exe
480	explorer.exe
1048	spoolsv.exe
480	explorer.exe
2824	spoolsv.exe
480	explorer.exe
2180	spoolsv.exe
480	explorer.exe
2400	spoolsv.exe
480	explorer.exe
3016	spoolsv.exe
480	explorer.exe
836	spoolsv.exe
480	explorer.exe
1564	spoolsv.exe
480	explorer.exe
2692	spoolsv.exe
480	explorer.exe
2364	spoolsv.exe
480	explorer.exe
748	spoolsv.exe
480	explorer.exe
1892	spoolsv.exe
480	explorer.exe
1900	spoolsv.exe
480	explorer.exe
2676	spoolsv.exe
480	explorer.exe
2996	spoolsv.exe
480	explorer.exe
2904	spoolsv.exe
480	explorer.exe
1792	spoolsv.exe
480	explorer.exe
1588	explorer.exe
680	spoolsv.exe
1896	explorer.exe
480	explorer.exe
2244	spoolsv.exe
480	explorer.exe
1500	explorer.exe
2344	spoolsv.exe
480	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
2604	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
2604	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
1800	explorer.exe
1800	explorer.exe
480	explorer.exe
480	explorer.exe
300	spoolsv.exe
300	spoolsv.exe
480	explorer.exe
480	explorer.exe
2884	spoolsv.exe
2884	spoolsv.exe
2760	spoolsv.exe
2760	spoolsv.exe
1816	spoolsv.exe
1816	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
2312	spoolsv.exe
2312	spoolsv.exe
912	spoolsv.exe
912	spoolsv.exe
1048	spoolsv.exe
1048	spoolsv.exe
2824	spoolsv.exe
2824	spoolsv.exe
2180	spoolsv.exe
2180	spoolsv.exe
2400	spoolsv.exe
2400	spoolsv.exe
3016	spoolsv.exe
3016	spoolsv.exe
836	spoolsv.exe
836	spoolsv.exe
1564	spoolsv.exe
1564	spoolsv.exe
2692	spoolsv.exe
2692	spoolsv.exe
2364	spoolsv.exe
2364	spoolsv.exe
748	spoolsv.exe
748	spoolsv.exe
1892	spoolsv.exe
1892	spoolsv.exe
1900	spoolsv.exe
1900	spoolsv.exe
2676	spoolsv.exe
2676	spoolsv.exe
2996	spoolsv.exe
2996	spoolsv.exe
2904	spoolsv.exe
2904	spoolsv.exe
1792	spoolsv.exe
1792	spoolsv.exe
828	spoolsv.exe
828	spoolsv.exe
1588	explorer.exe
1588	explorer.exe
680	spoolsv.exe
680	spoolsv.exe
2452	spoolsv.exe
2452	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2080	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	28
PID 2868 wrote to memory of 2080	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	28
PID 2868 wrote to memory of 2080	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	28
PID 2868 wrote to memory of 2080	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	28
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 2868 wrote to memory of 1324	2868	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	30
PID 1324 wrote to memory of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 wrote to memory of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 wrote to memory of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 wrote to memory of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 wrote to memory of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 wrote to memory of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 wrote to memory of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 wrote to memory of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 wrote to memory of 2604	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	33
PID 1324 wrote to memory of 2536	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	34
PID 1324 wrote to memory of 2536	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	34
PID 1324 wrote to memory of 2536	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	34
PID 1324 wrote to memory of 2536	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	34
PID 1324 wrote to memory of 2536	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	34
PID 1324 wrote to memory of 2536	1324	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	34
PID 2604 wrote to memory of 1800	2604	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	35
PID 2604 wrote to memory of 1800	2604	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	35
PID 2604 wrote to memory of 1800	2604	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	35
PID 2604 wrote to memory of 1800	2604	3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe	35
PID 1800 wrote to memory of 2300	1800	explorer.exe	36
PID 1800 wrote to memory of 2300	1800	explorer.exe	36
PID 1800 wrote to memory of 2300	1800	explorer.exe	36
PID 1800 wrote to memory of 2300	1800	explorer.exe	36
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38
PID 1800 wrote to memory of 1784	1800	explorer.exe	38

C:\Users\Admin\AppData\Local\Temp\3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
"C:\Users\Admin\AppData\Local\Temp\3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
  C:\Users\Admin\AppData\Local\Temp\3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
    C:\Users\Admin\AppData\Local\Temp\3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:2300
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1784
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1288
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        
        PID:1996
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2976
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:1604
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1336
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2088
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1776
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2576
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        
        PID:2612
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:268
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:752
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2180
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2384
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2072
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2424
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1648
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2384
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2596
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1304
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2524
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2212
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1504
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1436
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1388
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1620
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
5f872bf66a9e456c70f7ee4fa6b53e4c

SHA1
b1671863784faf70581dbfe7567341dc5bf8f304

SHA256
3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b

SHA512
3306d0938d1226d893b0e6db11b3a16ce183e71604c559b0c2dd42b60d062fac66cea810b32abcc8fd5b0ac2b85f832433baa732fa728b928da862aa5f16edc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
1315bca6391389a0a98c890193a81409

SHA1
a1622276767b4968cac0d4d72addab251a125d4d

SHA256
b6fda56aad4e6c5d2232fb0d1200a74a210cf116058503a87ea3c0d9e349e14e

SHA512
666db3fb41773f728878e09a1e4c8e6f46b55005f5b9bb0b2b9ab7a8426485a22f0d6c3d3d00b6dfddd909e4b84b3747af0ae02b17fd64c498ed5cb3ede05cb2

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.9MB

MD5
386a5c23cc31cc4004298be60141d780

SHA1
52069cd7eebdda01f0e2c6db867b68e89f5f6740

SHA256
44dfe95e994f175f953d5fce120a31a0ed239903bfcc64489a8538c76fb0bc43

SHA512
dd78d993fab790d4ef9125455e93d62523bccf028ded2057ab36587b9f46e20679cda7ddbac534050a9b97e60ae85b8c3505b73681487fb1196461015cee1d3e

Download Submit
memory/280-244-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/280-1365-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/572-861-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/948-1864-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/948-569-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1036-716-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1248-310-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1248-1512-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1288-252-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1288-1461-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1324-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1324-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1324-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-52-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1324-36-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1324-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1324-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1324-86-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1324-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1324-50-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1324-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1324-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1628-1688-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1628-455-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1784-180-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1784-148-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1796-509-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1796-1807-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2072-667-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2148-954-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2292-409-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2292-1663-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2396-1004-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2536-87-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2580-1562-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2580-367-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2604-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-763-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2780-633-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2944-907-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download