warzonerat | 9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
Size

2.9MB
MD5

b61dcd57dd3f48cb913cccdc94e7e640
SHA1

297b7fcd6d163162b3f6835e6c4cc9915102475d
SHA256

9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78
SHA512

349b88cebec87cd5ccf7c76dbd01f602cad8ead03643c095fa870d6b9c58a661e4a344aa726951b015d61b3e9f637eddf4f9d4d4464376554919820968b43553
SSDEEP

24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH1:7v97AXmw4gxeOw46fUbNecCCFbNecs

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 29 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 56 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2536	explorer.exe
4948	explorer.exe
2988	explorer.exe
4320	spoolsv.exe
4988	spoolsv.exe
224	spoolsv.exe
4520	spoolsv.exe
3088	spoolsv.exe
3236	spoolsv.exe
4004	spoolsv.exe
5032	spoolsv.exe
1800	spoolsv.exe
800	spoolsv.exe
5108	spoolsv.exe
4088	spoolsv.exe
3288	spoolsv.exe
3964	spoolsv.exe
4064	spoolsv.exe
4856	spoolsv.exe
540	spoolsv.exe
1368	spoolsv.exe
964	spoolsv.exe
4288	spoolsv.exe
1788	spoolsv.exe
1632	spoolsv.exe
2960	spoolsv.exe
1132	spoolsv.exe
2952	spoolsv.exe
1652	spoolsv.exe
2848	spoolsv.exe
2080	spoolsv.exe
1484	spoolsv.exe
1036	spoolsv.exe
3892	spoolsv.exe
3088	spoolsv.exe
2296	spoolsv.exe
3068	spoolsv.exe
4852	spoolsv.exe
2724	spoolsv.exe
4420	spoolsv.exe
4916	spoolsv.exe
736	spoolsv.exe
1552	spoolsv.exe
228	spoolsv.exe
400	spoolsv.exe
684	spoolsv.exe
1936	spoolsv.exe
964	spoolsv.exe
3136	spoolsv.exe
4796	spoolsv.exe
4464	spoolsv.exe
1860	spoolsv.exe
3960	spoolsv.exe
3328	spoolsv.exe
4076	spoolsv.exe
224	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 31 IoCs

Processes:

9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1408 set thread context of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 set thread context of 3976	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 2536 set thread context of 4948	2536	explorer.exe	explorer.exe
PID 4948 set thread context of 2988	4948	explorer.exe	explorer.exe
PID 4948 set thread context of 732	4948	explorer.exe	diskperf.exe
PID 4320 set thread context of 4988	4320	spoolsv.exe	spoolsv.exe
PID 224 set thread context of 4520	224	spoolsv.exe	spoolsv.exe
PID 3088 set thread context of 3236	3088	spoolsv.exe	spoolsv.exe
PID 4004 set thread context of 5032	4004	spoolsv.exe	spoolsv.exe
PID 1800 set thread context of 800	1800	spoolsv.exe	spoolsv.exe
PID 5108 set thread context of 4088	5108	spoolsv.exe	spoolsv.exe
PID 3288 set thread context of 3964	3288	spoolsv.exe	spoolsv.exe
PID 4064 set thread context of 4856	4064	spoolsv.exe	spoolsv.exe
PID 540 set thread context of 1368	540	spoolsv.exe	spoolsv.exe
PID 964 set thread context of 4288	964	spoolsv.exe	spoolsv.exe
PID 1788 set thread context of 1632	1788	spoolsv.exe	spoolsv.exe
PID 2960 set thread context of 1132	2960	spoolsv.exe	spoolsv.exe
PID 2952 set thread context of 1652	2952	spoolsv.exe	spoolsv.exe
PID 2848 set thread context of 2080	2848	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 1036	1484	spoolsv.exe	spoolsv.exe
PID 3892 set thread context of 3088	3892	spoolsv.exe	spoolsv.exe
PID 2296 set thread context of 3068	2296	spoolsv.exe	spoolsv.exe
PID 4852 set thread context of 2724	4852	spoolsv.exe	spoolsv.exe
PID 4420 set thread context of 4916	4420	spoolsv.exe	spoolsv.exe
PID 736 set thread context of 1552	736	spoolsv.exe	spoolsv.exe
PID 228 set thread context of 400	228	spoolsv.exe	spoolsv.exe
PID 684 set thread context of 1936	684	spoolsv.exe	spoolsv.exe
PID 964 set thread context of 3136	964	spoolsv.exe	spoolsv.exe
PID 4796 set thread context of 4464	4796	spoolsv.exe	spoolsv.exe
PID 1860 set thread context of 3960	1860	spoolsv.exe	spoolsv.exe
PID 3328 set thread context of 4076	3328	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 31 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

spoolsv.exespoolsv.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.exespoolsv.exeexplorer.execmd.execmd.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.exe9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exeexplorer.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
3976	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
3976	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
2536	explorer.exe
2536	explorer.exe
4320	spoolsv.exe
4320	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
224	spoolsv.exe
224	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
3088	spoolsv.exe
3088	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
4004	spoolsv.exe
4004	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
1800	spoolsv.exe
1800	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
5108	spoolsv.exe
5108	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
3288	spoolsv.exe
3288	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
4064	spoolsv.exe
4064	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
540	spoolsv.exe
540	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
964	spoolsv.exe
964	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
1788	spoolsv.exe
1788	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
2960	spoolsv.exe
2960	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
2952	spoolsv.exe
2952	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
2848	spoolsv.exe
2848	spoolsv.exe
2988	explorer.exe
2988	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
3976	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
3976	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
2536	explorer.exe
2536	explorer.exe
2988	explorer.exe
2988	explorer.exe
4320	spoolsv.exe
4320	spoolsv.exe
2988	explorer.exe
2988	explorer.exe
224	spoolsv.exe
224	spoolsv.exe
3088	spoolsv.exe
3088	spoolsv.exe
4004	spoolsv.exe
4004	spoolsv.exe
1800	spoolsv.exe
1800	spoolsv.exe
5108	spoolsv.exe
5108	spoolsv.exe
3288	spoolsv.exe
3288	spoolsv.exe
4064	spoolsv.exe
4064	spoolsv.exe
540	spoolsv.exe
540	spoolsv.exe
964	spoolsv.exe
964	spoolsv.exe
1788	spoolsv.exe
1788	spoolsv.exe
2960	spoolsv.exe
2960	spoolsv.exe
2952	spoolsv.exe
2952	spoolsv.exe
2848	spoolsv.exe
2848	spoolsv.exe
1484	spoolsv.exe
1484	spoolsv.exe
3892	spoolsv.exe
3892	spoolsv.exe
2296	spoolsv.exe
2296	spoolsv.exe
4852	spoolsv.exe
4852	spoolsv.exe
4420	spoolsv.exe
4420	spoolsv.exe
736	spoolsv.exe
736	spoolsv.exe
228	spoolsv.exe
228	spoolsv.exe
684	spoolsv.exe
684	spoolsv.exe
964	spoolsv.exe
964	spoolsv.exe
4796	spoolsv.exe
4796	spoolsv.exe
1860	spoolsv.exe
1860	spoolsv.exe
3328	spoolsv.exe
3328	spoolsv.exe
224	spoolsv.exe
224	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exeexplorer.exe

description	pid	process	target process
PID 1408 wrote to memory of 3692	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	cmd.exe
PID 1408 wrote to memory of 3692	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	cmd.exe
PID 1408 wrote to memory of 3692	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	cmd.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1408 wrote to memory of 1836	1408	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 wrote to memory of 3976	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 wrote to memory of 3976	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 wrote to memory of 3976	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 wrote to memory of 3976	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 wrote to memory of 3976	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 wrote to memory of 3976	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 wrote to memory of 3976	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 wrote to memory of 3976	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
PID 1836 wrote to memory of 3092	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	diskperf.exe
PID 1836 wrote to memory of 3092	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	diskperf.exe
PID 1836 wrote to memory of 3092	1836	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	diskperf.exe
PID 3976 wrote to memory of 2536	3976	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	explorer.exe
PID 3976 wrote to memory of 2536	3976	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	explorer.exe
PID 3976 wrote to memory of 2536	3976	9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe	explorer.exe
PID 2536 wrote to memory of 3676	2536	explorer.exe	cmd.exe
PID 2536 wrote to memory of 3676	2536	explorer.exe	cmd.exe
PID 2536 wrote to memory of 3676	2536	explorer.exe	cmd.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe
PID 2536 wrote to memory of 4948	2536	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
"C:\Users\Admin\AppData\Local\Temp\9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
  C:\Users\Admin\AppData\Local\Temp\9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
    C:\Users\Admin\AppData\Local\Temp\9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78N.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3676
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4948
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:4544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4520
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:5032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:800
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3172
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:620
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4076
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1468
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:732
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
b61dcd57dd3f48cb913cccdc94e7e640

SHA1
297b7fcd6d163162b3f6835e6c4cc9915102475d

SHA256
9d16c6d896a5cceac40f9c65d0c78f76ff57ee468a4708d74f4e74a832d43e78

SHA512
349b88cebec87cd5ccf7c76dbd01f602cad8ead03643c095fa870d6b9c58a661e4a344aa726951b015d61b3e9f637eddf4f9d4d4464376554919820968b43553

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
89b04fc862e1c3d03756cb99e7ceb877

SHA1
49b13d8cb07b8a2f22a09b3983ac1abc62dcec97

SHA256
fe778355b089f1d85c1ee837b1ebf517c80d3470200e2d102a0dc9df50ba4dbb

SHA512
c70a906abfaea8f74732f43b0023ad6f4cda8a22b5b658394aa16900e6035ae192d3eb7149886309b5736e7312335284cb3e7d025c6d350f71667fba4271e0ad

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.9MB

MD5
6ce9e5897b128aed004f35b16e5f7ef8

SHA1
7636e46ea3539f2b4d01b42be936837393585a47

SHA256
216101cb50989352870da5b20b025b6182b7367270370af4a15af6c2ea0d3926

SHA512
d78fcf21df641a3411a1d7b08ad25d87e7f366d8b6fb88f1e26581076397e7fa3bababf6d3c429f42c4d0fc8908ff1be41e3bda30d3f9af82fb6ef57c89a86bf

Download Submit
memory/400-334-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/732-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/732-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/800-133-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1036-259-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1132-221-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1368-184-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1552-323-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1632-209-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1652-234-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1836-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1836-13-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1836-9-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1836-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1836-4-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1836-10-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1836-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1836-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1836-7-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1836-27-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1836-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1836-11-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1836-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1836-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-344-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2080-246-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2724-300-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3068-287-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3088-273-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3136-355-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3236-104-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3236-106-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3236-105-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3236-109-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3236-107-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3236-108-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3960-378-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3964-158-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3976-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4076-390-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4088-145-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4288-196-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4464-366-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4520-93-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4520-94-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4520-95-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4520-97-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4520-92-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4520-96-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4856-171-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4916-313-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4948-48-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4948-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4948-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4948-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4948-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4948-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4948-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4948-67-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4948-62-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4988-80-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4988-83-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4988-82-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4988-81-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4988-79-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4988-78-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5032-118-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5032-117-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5032-121-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5032-119-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5032-116-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5032-120-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download