warzonerat | d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22f

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
Size

2.9MB
MD5

57392a56e3fd6f171e1da9653fdeb0b0
SHA1

0a564bfd7ada338fc58df1ab8d79ca9569b4bc75
SHA256

d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22f
SHA512

d065c2e34b2ba4440c098722597141312431811a6f072cf62982e969e1b9ba633a5169cb19a39862f4922f8f132b037f03258eed9b1387ac77f32bfc1d68818d
SSDEEP

24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHb:7v97AXmw4gxeOw46fUbNecCCFbNecM

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 14 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 30 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2908	explorer.exe
2416	explorer.exe
4724	explorer.exe
2044	spoolsv.exe
1452	spoolsv.exe
2792	spoolsv.exe
2228	spoolsv.exe
1596	spoolsv.exe
2916	spoolsv.exe
1700	spoolsv.exe
4024	spoolsv.exe
2148	spoolsv.exe
3924	spoolsv.exe
3236	spoolsv.exe
3872	spoolsv.exe
2308	spoolsv.exe
880	spoolsv.exe
4904	spoolsv.exe
4896	spoolsv.exe
3540	spoolsv.exe
4032	spoolsv.exe
3116	spoolsv.exe
4568	spoolsv.exe
3216	spoolsv.exe
2860	spoolsv.exe
3480	spoolsv.exe
3972	spoolsv.exe
1180	spoolsv.exe
4836	spoolsv.exe
4560	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exed58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 19 IoCs

Processes:

d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exed58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 384 set thread context of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 set thread context of 2108	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 set thread context of 5004	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	diskperf.exe
PID 2908 set thread context of 2416	2908	explorer.exe	explorer.exe
PID 2416 set thread context of 4724	2416	explorer.exe	explorer.exe
PID 2416 set thread context of 1592	2416	explorer.exe	diskperf.exe
PID 2044 set thread context of 1452	2044	spoolsv.exe	spoolsv.exe
PID 2792 set thread context of 2228	2792	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 2916	1596	spoolsv.exe	spoolsv.exe
PID 1700 set thread context of 4024	1700	spoolsv.exe	spoolsv.exe
PID 2148 set thread context of 3924	2148	spoolsv.exe	spoolsv.exe
PID 3236 set thread context of 3872	3236	spoolsv.exe	spoolsv.exe
PID 2308 set thread context of 880	2308	spoolsv.exe	spoolsv.exe
PID 4904 set thread context of 4896	4904	spoolsv.exe	spoolsv.exe
PID 3540 set thread context of 4032	3540	spoolsv.exe	spoolsv.exe
PID 3116 set thread context of 4568	3116	spoolsv.exe	spoolsv.exe
PID 3216 set thread context of 2860	3216	spoolsv.exe	spoolsv.exe
PID 3480 set thread context of 3972	3480	spoolsv.exe	spoolsv.exe
PID 1180 set thread context of 4836	1180	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 18 IoCs

Processes:

spoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exed58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.execmd.exespoolsv.exespoolsv.exespoolsv.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.execmd.exespoolsv.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.exespoolsv.exed58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.execmd.exespoolsv.exespoolsv.exespoolsv.execmd.exed58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.execmd.execmd.execmd.exed58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exed58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
2108	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
2108	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
2908	explorer.exe
2908	explorer.exe
2044	spoolsv.exe
2044	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
4724	explorer.exe
4724	explorer.exe
2792	spoolsv.exe
2792	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
1596	spoolsv.exe
1596	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
1700	spoolsv.exe
1700	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
2148	spoolsv.exe
2148	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
3236	spoolsv.exe
3236	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
2308	spoolsv.exe
2308	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
4904	spoolsv.exe
4904	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
3540	spoolsv.exe
3540	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
3116	spoolsv.exe
3116	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
3216	spoolsv.exe
3216	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
3480	spoolsv.exe
3480	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
1180	spoolsv.exe
1180	spoolsv.exe
4724	explorer.exe
4724	explorer.exe

Suspicious use of SetWindowsHookEx 38 IoCs

Processes:

pid	process
384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
2108	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
2108	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
2908	explorer.exe
2908	explorer.exe
4724	explorer.exe
4724	explorer.exe
2044	spoolsv.exe
2044	spoolsv.exe
4724	explorer.exe
4724	explorer.exe
2792	spoolsv.exe
2792	spoolsv.exe
1596	spoolsv.exe
1596	spoolsv.exe
1700	spoolsv.exe
1700	spoolsv.exe
2148	spoolsv.exe
2148	spoolsv.exe
3236	spoolsv.exe
3236	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
4904	spoolsv.exe
4904	spoolsv.exe
3540	spoolsv.exe
3540	spoolsv.exe
3116	spoolsv.exe
3116	spoolsv.exe
3216	spoolsv.exe
3216	spoolsv.exe
3480	spoolsv.exe
3480	spoolsv.exe
1180	spoolsv.exe
1180	spoolsv.exe
4560	spoolsv.exe
4560	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exed58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exed58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exeexplorer.exe

description	pid	process	target process
PID 384 wrote to memory of 1960	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	cmd.exe
PID 384 wrote to memory of 1960	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	cmd.exe
PID 384 wrote to memory of 1960	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	cmd.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 384 wrote to memory of 2996	384	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 wrote to memory of 2108	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 wrote to memory of 2108	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 wrote to memory of 2108	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 wrote to memory of 2108	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 wrote to memory of 2108	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 wrote to memory of 2108	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 wrote to memory of 2108	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 wrote to memory of 2108	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
PID 2996 wrote to memory of 5004	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	diskperf.exe
PID 2996 wrote to memory of 5004	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	diskperf.exe
PID 2996 wrote to memory of 5004	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	diskperf.exe
PID 2996 wrote to memory of 5004	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	diskperf.exe
PID 2996 wrote to memory of 5004	2996	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	diskperf.exe
PID 2108 wrote to memory of 2908	2108	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	explorer.exe
PID 2108 wrote to memory of 2908	2108	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	explorer.exe
PID 2108 wrote to memory of 2908	2108	d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe	explorer.exe
PID 2908 wrote to memory of 4552	2908	explorer.exe	cmd.exe
PID 2908 wrote to memory of 4552	2908	explorer.exe	cmd.exe
PID 2908 wrote to memory of 4552	2908	explorer.exe	cmd.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe
PID 2908 wrote to memory of 2416	2908	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
"C:\Users\Admin\AppData\Local\Temp\d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
  C:\Users\Admin\AppData\Local\Temp\d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
    C:\Users\Admin\AppData\Local\Temp\d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22fN.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4552
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2416
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2332
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3528
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:880
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:400
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4636
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1592
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
57392a56e3fd6f171e1da9653fdeb0b0

SHA1
0a564bfd7ada338fc58df1ab8d79ca9569b4bc75

SHA256
d58cd97069c057cc4de15f01e7dca86b4021a9a43cbc7732e767ff99f188c22f

SHA512
d065c2e34b2ba4440c098722597141312431811a6f072cf62982e969e1b9ba633a5169cb19a39862f4922f8f132b037f03258eed9b1387ac77f32bfc1d68818d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
03acd00c52b8114914d4f4d2661537a0

SHA1
046e633cdcf9a8b3946e3987117bb4226875024c

SHA256
35356f2e26155c249c51af4f79e5ff53a5f8e4107761dae65b00406b6eb93bed

SHA512
ec7ed9b4cf7665e8f16c7319abd0da810940ccbc68f0a3f42bfa1c790d84f9a4e275b42067311b8e482baadfdef2e858d387e1fa892f48489bf3d493adb6c496

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.9MB

MD5
dc625a36eb19d8028a32b3a06a152f27

SHA1
0b8b82486f0b4a9ac4c6ca759e683d9a42800ca3

SHA256
f16362e7e7d557c19e67dacb7583e72bea9101d5020e3a3bd5ecadaed1ee0d9a

SHA512
32e43fc364b9fad9e36156ccb89e8ac3dd572868ce1261e8715c1d1c1d7145d48a0301a6c52a268195cc40cbeefbb164b288fb9aa7c2691681131e0dc374ed14

Download Submit
memory/880-159-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1452-83-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1452-85-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1452-84-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1452-86-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1452-80-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1452-82-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2108-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2228-96-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2228-94-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2228-95-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2228-93-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2228-97-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2228-98-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2416-46-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2416-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2416-41-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2416-68-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2416-45-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2416-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2416-42-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2416-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2416-50-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2416-75-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2860-210-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2916-108-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2916-106-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2916-107-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2916-105-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2916-109-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2916-110-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2996-10-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2996-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2996-11-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2996-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2996-6-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2996-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2996-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2996-30-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2996-8-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2996-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2996-9-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2996-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2996-12-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2996-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3872-147-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3924-134-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3972-223-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4024-122-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4032-184-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4568-197-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4724-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-235-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4896-171-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5004-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5004-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5004-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download