warzonerat | 65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
Size

2.9MB
MD5

e8d48dbd3a82fb48f7160fb4e5d901e0
SHA1

9653fb158709953b17f3eddc562d8c99d74021b0
SHA256

65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711
SHA512

6ec775657953d54f814df1f351796761a99515390a8befaf4d128fd342233073161c4c63a2710b70813d6cfaeb00a372dbd38eccb2f2ea2cd3c97161c245ce41
SSDEEP

24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHV:7v97AXmw4gxeOw46fUbNecCCFbNecq

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 26 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 51 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2104	explorer.exe
1564	explorer.exe
4192	explorer.exe
3856	spoolsv.exe
3884	spoolsv.exe
2388	spoolsv.exe
936	spoolsv.exe
1956	spoolsv.exe
324	spoolsv.exe
2924	spoolsv.exe
3832	spoolsv.exe
4884	spoolsv.exe
4488	spoolsv.exe
1336	spoolsv.exe
1972	spoolsv.exe
5104	spoolsv.exe
4600	spoolsv.exe
2100	spoolsv.exe
2008	spoolsv.exe
4464	spoolsv.exe
2940	spoolsv.exe
64	spoolsv.exe
3352	spoolsv.exe
4652	spoolsv.exe
4660	spoolsv.exe
2384	spoolsv.exe
1608	spoolsv.exe
2256	spoolsv.exe
4100	spoolsv.exe
1624	spoolsv.exe
4324	spoolsv.exe
1184	spoolsv.exe
2800	spoolsv.exe
452	spoolsv.exe
1664	spoolsv.exe
4384	spoolsv.exe
2916	spoolsv.exe
2152	spoolsv.exe
2452	spoolsv.exe
3480	spoolsv.exe
3052	spoolsv.exe
3784	spoolsv.exe
4860	spoolsv.exe
4656	spoolsv.exe
8	spoolsv.exe
1540	spoolsv.exe
3136	spoolsv.exe
2620	spoolsv.exe
2340	spoolsv.exe
1760	spoolsv.exe
2344	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 30 IoCs

Processes:

65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2132 set thread context of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 set thread context of 2768	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 set thread context of 2444	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	diskperf.exe
PID 2104 set thread context of 1564	2104	explorer.exe	explorer.exe
PID 1564 set thread context of 4192	1564	explorer.exe	explorer.exe
PID 1564 set thread context of 3592	1564	explorer.exe	diskperf.exe
PID 3856 set thread context of 3884	3856	spoolsv.exe	spoolsv.exe
PID 2388 set thread context of 936	2388	spoolsv.exe	spoolsv.exe
PID 1956 set thread context of 324	1956	spoolsv.exe	spoolsv.exe
PID 2924 set thread context of 3832	2924	spoolsv.exe	spoolsv.exe
PID 4884 set thread context of 4488	4884	spoolsv.exe	spoolsv.exe
PID 1336 set thread context of 1972	1336	spoolsv.exe	spoolsv.exe
PID 5104 set thread context of 4600	5104	spoolsv.exe	spoolsv.exe
PID 2100 set thread context of 2008	2100	spoolsv.exe	spoolsv.exe
PID 4464 set thread context of 2940	4464	spoolsv.exe	spoolsv.exe
PID 64 set thread context of 3352	64	spoolsv.exe	spoolsv.exe
PID 4652 set thread context of 4660	4652	spoolsv.exe	spoolsv.exe
PID 2384 set thread context of 1608	2384	spoolsv.exe	spoolsv.exe
PID 2256 set thread context of 4100	2256	spoolsv.exe	spoolsv.exe
PID 1624 set thread context of 4324	1624	spoolsv.exe	spoolsv.exe
PID 1184 set thread context of 2800	1184	spoolsv.exe	spoolsv.exe
PID 452 set thread context of 1664	452	spoolsv.exe	spoolsv.exe
PID 4384 set thread context of 2916	4384	spoolsv.exe	spoolsv.exe
PID 2152 set thread context of 2452	2152	spoolsv.exe	spoolsv.exe
PID 3480 set thread context of 3052	3480	spoolsv.exe	spoolsv.exe
PID 3784 set thread context of 4860	3784	spoolsv.exe	spoolsv.exe
PID 4656 set thread context of 8	4656	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 3136	1540	spoolsv.exe	spoolsv.exe
PID 2620 set thread context of 2340	2620	spoolsv.exe	spoolsv.exe
PID 1760 set thread context of 2344	1760	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 28 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exespoolsv.exespoolsv.exespoolsv.execmd.exespoolsv.exespoolsv.exespoolsv.execmd.execmd.exespoolsv.exespoolsv.exespoolsv.exeexplorer.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.exespoolsv.exespoolsv.exe65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.exe65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.execmd.execmd.exespoolsv.exeexplorer.execmd.execmd.execmd.exespoolsv.execmd.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.execmd.execmd.execmd.exespoolsv.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.execmd.exespoolsv.exespoolsv.exespoolsv.exe65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exespoolsv.execmd.exespoolsv.exespoolsv.execmd.execmd.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
2768	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
2768	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
2104	explorer.exe
2104	explorer.exe
3856	spoolsv.exe
3856	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
4192	explorer.exe
4192	explorer.exe
2388	spoolsv.exe
2388	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
1956	spoolsv.exe
1956	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
2924	spoolsv.exe
2924	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
4884	spoolsv.exe
4884	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
1336	spoolsv.exe
1336	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
5104	spoolsv.exe
5104	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
2100	spoolsv.exe
2100	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
4464	spoolsv.exe
4464	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
64	spoolsv.exe
64	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
4652	spoolsv.exe
4652	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
2384	spoolsv.exe
2384	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
2256	spoolsv.exe
2256	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
1624	spoolsv.exe
1624	spoolsv.exe
4192	explorer.exe
4192	explorer.exe

Suspicious use of SetWindowsHookEx 58 IoCs

Processes:

pid	process
2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
2768	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
2768	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
2104	explorer.exe
2104	explorer.exe
4192	explorer.exe
4192	explorer.exe
3856	spoolsv.exe
3856	spoolsv.exe
4192	explorer.exe
4192	explorer.exe
2388	spoolsv.exe
2388	spoolsv.exe
1956	spoolsv.exe
1956	spoolsv.exe
2924	spoolsv.exe
2924	spoolsv.exe
4884	spoolsv.exe
4884	spoolsv.exe
1336	spoolsv.exe
1336	spoolsv.exe
5104	spoolsv.exe
5104	spoolsv.exe
2100	spoolsv.exe
2100	spoolsv.exe
4464	spoolsv.exe
4464	spoolsv.exe
64	spoolsv.exe
64	spoolsv.exe
4652	spoolsv.exe
4652	spoolsv.exe
2384	spoolsv.exe
2384	spoolsv.exe
2256	spoolsv.exe
2256	spoolsv.exe
1624	spoolsv.exe
1624	spoolsv.exe
1184	spoolsv.exe
1184	spoolsv.exe
452	spoolsv.exe
452	spoolsv.exe
4384	spoolsv.exe
4384	spoolsv.exe
2152	spoolsv.exe
2152	spoolsv.exe
3480	spoolsv.exe
3480	spoolsv.exe
3784	spoolsv.exe
3784	spoolsv.exe
4656	spoolsv.exe
4656	spoolsv.exe
1540	spoolsv.exe
1540	spoolsv.exe
2620	spoolsv.exe
2620	spoolsv.exe
1760	spoolsv.exe
1760	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exeexplorer.exe

description	pid	process	target process
PID 2132 wrote to memory of 4100	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	cmd.exe
PID 2132 wrote to memory of 4100	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	cmd.exe
PID 2132 wrote to memory of 4100	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	cmd.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 2132 wrote to memory of 1356	2132	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 wrote to memory of 2768	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 wrote to memory of 2768	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 wrote to memory of 2768	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 wrote to memory of 2768	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 wrote to memory of 2768	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 wrote to memory of 2768	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 wrote to memory of 2768	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 wrote to memory of 2768	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
PID 1356 wrote to memory of 2444	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	diskperf.exe
PID 1356 wrote to memory of 2444	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	diskperf.exe
PID 1356 wrote to memory of 2444	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	diskperf.exe
PID 1356 wrote to memory of 2444	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	diskperf.exe
PID 1356 wrote to memory of 2444	1356	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	diskperf.exe
PID 2768 wrote to memory of 2104	2768	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	explorer.exe
PID 2768 wrote to memory of 2104	2768	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	explorer.exe
PID 2768 wrote to memory of 2104	2768	65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe	explorer.exe
PID 2104 wrote to memory of 2008	2104	explorer.exe	cmd.exe
PID 2104 wrote to memory of 2008	2104	explorer.exe	cmd.exe
PID 2104 wrote to memory of 2008	2104	explorer.exe	cmd.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe
PID 2104 wrote to memory of 1564	2104	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
"C:\Users\Admin\AppData\Local\Temp\65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4100
- C:\Users\Admin\AppData\Local\Temp\65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
  C:\Users\Admin\AppData\Local\Temp\65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
    C:\Users\Admin\AppData\Local\Temp\65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711N.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2008
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1564
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4488
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4600
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:560
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4860
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3136
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2344
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3592
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
e8d48dbd3a82fb48f7160fb4e5d901e0

SHA1
9653fb158709953b17f3eddc562d8c99d74021b0

SHA256
65831e8f2e7fdfd3a41aaee96033c4687b362ea7e5242354e5de8b3ba94e6711

SHA512
6ec775657953d54f814df1f351796761a99515390a8befaf4d128fd342233073161c4c63a2710b70813d6cfaeb00a372dbd38eccb2f2ea2cd3c97161c245ce41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
c9b9526be2b1091ebb5f14572fb146a4

SHA1
e407c2e27168d2a805b88769f2575a4607e558aa

SHA256
c13207a4253eca47965af6cbd4554d1b88890b487cbbcc0b414e0eb120898b6d

SHA512
e8bd4486c7ac13721894d64ecfe317648094aeb305c239364f62933cd3cf59a5607c21825bed7ece3342023e7a8a78acc4e1a56c40b8e60e9e6e1edf5280f4ce

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.9MB

MD5
f1256a6f450a5bd61892114ad482db11

SHA1
318441c54297ae32d73ec1c3e280850f9c598119

SHA256
26d692b785c274b09532db9191c74c10c996a02be7789f913d7a1e756b76cccf

SHA512
f4dd1a4c64db72750994e309c1f4a7ee0745f4edd3bef094ef161167cdcdec2d48b53ca9aa19c9c047684ad5cfbe33ec4c579b169632a35789104023f47fab34

Download Submit
memory/8-338-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/324-111-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/936-98-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/936-99-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/936-96-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/936-95-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/936-97-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/936-94-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1356-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1356-12-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1356-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1356-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1356-26-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1356-3-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1356-9-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1356-8-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1356-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1356-6-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1356-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1356-2-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1356-10-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1564-69-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1564-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1564-50-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1564-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1564-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1564-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1564-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1564-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1564-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1564-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-223-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1664-274-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1972-147-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2008-172-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2340-360-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2344-366-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2444-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2444-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2444-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2452-305-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2768-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-262-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2916-290-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2940-185-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3052-317-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3136-349-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3352-198-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3832-122-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3884-80-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3884-83-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3884-81-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3884-84-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3884-82-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3884-85-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4100-236-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4192-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-249-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4488-135-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4600-160-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4660-210-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4860-324-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download