warzonerat | 90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
Size

8.9MB
MD5

30710ac07def2e7ebdcb8e756d5e8710
SHA1

1e597b9323b43972c9edd399c5a66f243a9e21a4
SHA256

90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568
SHA512

4746aedd70f05fc457ee61bee8c827760a8c27d7b128770831a07a822c2944e6725eca7c317eb5972a709a2c6a6a9e3aa515bc773eb10eeabcf61e732bbe27fd
SSDEEP

49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNecy:K1+8e8e8f8e8e8D

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x0007000000019d8e-35.dat	warzonerat
behavioral1/memory/2928-42-0x0000000003400000-0x0000000003515000-memory.dmp	warzonerat
behavioral1/files/0x0007000000019c57-67.dat	warzonerat
behavioral1/files/0x0009000000019cba-80.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	Process
2764	explorer.exe
2988	explorer.exe
3036	spoolsv.exe
1740	spoolsv.exe
2084	spoolsv.exe
2348	spoolsv.exe
2636	spoolsv.exe
2400	spoolsv.exe
952	spoolsv.exe
2120	spoolsv.exe
2352	spoolsv.exe
1588	spoolsv.exe
2556	spoolsv.exe
800	spoolsv.exe
1516	spoolsv.exe
2580	spoolsv.exe
2524	spoolsv.exe
2392	spoolsv.exe
2652	spoolsv.exe
2380	spoolsv.exe
1568	spoolsv.exe
2948	spoolsv.exe
3024	spoolsv.exe
2716	spoolsv.exe
2856	spoolsv.exe
2684	spoolsv.exe
2740	spoolsv.exe
408	spoolsv.exe
1616	spoolsv.exe
2388	spoolsv.exe
2060	spoolsv.exe
2444	spoolsv.exe
2012	spoolsv.exe
3000	spoolsv.exe
1408	spoolsv.exe
2532	spoolsv.exe
1840	spoolsv.exe
856	spoolsv.exe
2428	spoolsv.exe
2052	spoolsv.exe
888	spoolsv.exe
2940	spoolsv.exe
1860	spoolsv.exe
1780	spoolsv.exe
2156	spoolsv.exe
2004	spoolsv.exe
1728	spoolsv.exe
920	spoolsv.exe
2248	spoolsv.exe
2568	spoolsv.exe
2136	spoolsv.exe
1356	spoolsv.exe
2300	spoolsv.exe
1988	spoolsv.exe
2584	spoolsv.exe
632	spoolsv.exe
1332	spoolsv.exe
3052	spoolsv.exe
1216	spoolsv.exe
692	spoolsv.exe
2244	spoolsv.exe
3068	spoolsv.exe
1708	spoolsv.exe
2904	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exeexplorer.exe

pid	Process
2928	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
2928	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exeexplorer.exeexplorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exeexplorer.exe

description	pid	Process	procid_target
PID 2296 set thread context of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 set thread context of 1808	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	31
PID 2764 set thread context of 2988	2764	explorer.exe	33
PID 2764 set thread context of 2984	2764	explorer.exe	34

Drops file in Windows directory 3 IoCs

Processes:

90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exeexplorer.exe

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exespoolsv.exespoolsv.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exeexplorer.exe

pid	Process
2928	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid	Process
2988	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exeexplorer.exe

pid	Process
2928	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
2928	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exeexplorer.exeexplorer.exe

description	pid	Process	procid_target
PID 2296 wrote to memory of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 wrote to memory of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 wrote to memory of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 wrote to memory of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 wrote to memory of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 wrote to memory of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 wrote to memory of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 wrote to memory of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 wrote to memory of 2928	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	30
PID 2296 wrote to memory of 1808	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	31
PID 2296 wrote to memory of 1808	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	31
PID 2296 wrote to memory of 1808	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	31
PID 2296 wrote to memory of 1808	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	31
PID 2296 wrote to memory of 1808	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	31
PID 2296 wrote to memory of 1808	2296	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	31
PID 2928 wrote to memory of 2764	2928	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	32
PID 2928 wrote to memory of 2764	2928	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	32
PID 2928 wrote to memory of 2764	2928	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	32
PID 2928 wrote to memory of 2764	2928	90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe	32
PID 2764 wrote to memory of 2988	2764	explorer.exe	33
PID 2764 wrote to memory of 2988	2764	explorer.exe	33
PID 2764 wrote to memory of 2988	2764	explorer.exe	33
PID 2764 wrote to memory of 2988	2764	explorer.exe	33
PID 2764 wrote to memory of 2988	2764	explorer.exe	33
PID 2764 wrote to memory of 2988	2764	explorer.exe	33
PID 2764 wrote to memory of 2988	2764	explorer.exe	33
PID 2764 wrote to memory of 2988	2764	explorer.exe	33
PID 2764 wrote to memory of 2988	2764	explorer.exe	33
PID 2764 wrote to memory of 2984	2764	explorer.exe	34
PID 2764 wrote to memory of 2984	2764	explorer.exe	34
PID 2764 wrote to memory of 2984	2764	explorer.exe	34
PID 2764 wrote to memory of 2984	2764	explorer.exe	34
PID 2764 wrote to memory of 2984	2764	explorer.exe	34
PID 2764 wrote to memory of 2984	2764	explorer.exe	34
PID 2988 wrote to memory of 3036	2988	explorer.exe	35
PID 2988 wrote to memory of 3036	2988	explorer.exe	35
PID 2988 wrote to memory of 3036	2988	explorer.exe	35
PID 2988 wrote to memory of 3036	2988	explorer.exe	35
PID 2988 wrote to memory of 1740	2988	explorer.exe	36
PID 2988 wrote to memory of 1740	2988	explorer.exe	36
PID 2988 wrote to memory of 1740	2988	explorer.exe	36
PID 2988 wrote to memory of 1740	2988	explorer.exe	36
PID 2988 wrote to memory of 2084	2988	explorer.exe	37
PID 2988 wrote to memory of 2084	2988	explorer.exe	37
PID 2988 wrote to memory of 2084	2988	explorer.exe	37
PID 2988 wrote to memory of 2084	2988	explorer.exe	37
PID 2988 wrote to memory of 2348	2988	explorer.exe	38
PID 2988 wrote to memory of 2348	2988	explorer.exe	38
PID 2988 wrote to memory of 2348	2988	explorer.exe	38
PID 2988 wrote to memory of 2348	2988	explorer.exe	38
PID 2988 wrote to memory of 2636	2988	explorer.exe	39
PID 2988 wrote to memory of 2636	2988	explorer.exe	39
PID 2988 wrote to memory of 2636	2988	explorer.exe	39
PID 2988 wrote to memory of 2636	2988	explorer.exe	39
PID 2988 wrote to memory of 2400	2988	explorer.exe	40
PID 2988 wrote to memory of 2400	2988	explorer.exe	40
PID 2988 wrote to memory of 2400	2988	explorer.exe	40
PID 2988 wrote to memory of 2400	2988	explorer.exe	40
PID 2988 wrote to memory of 952	2988	explorer.exe	41
PID 2988 wrote to memory of 952	2988	explorer.exe	41
PID 2988 wrote to memory of 952	2988	explorer.exe	41
PID 2988 wrote to memory of 952	2988	explorer.exe	41
PID 2988 wrote to memory of 2120	2988	explorer.exe	42
PID 2988 wrote to memory of 2120	2988	explorer.exe	42

C:\Users\Admin\AppData\Local\Temp\90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
"C:\Users\Admin\AppData\Local\Temp\90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe
  "C:\Users\Admin\AppData\Local\Temp\90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568N.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2656
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:2984
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.9MB

MD5
30710ac07def2e7ebdcb8e756d5e8710

SHA1
1e597b9323b43972c9edd399c5a66f243a9e21a4

SHA256
90c5b18b851b8409a29cde110e460056f88e1f66ae49b501da85cf3ffdca9568

SHA512
4746aedd70f05fc457ee61bee8c827760a8c27d7b128770831a07a822c2944e6725eca7c317eb5972a709a2c6a6a9e3aa515bc773eb10eeabcf61e732bbe27fd

Download Submit
C:\Windows\system\explorer.exe

Filesize
8.9MB

MD5
3c72dc8e7ec10fcfa5fa4aded4660d54

SHA1
d698c20feccbd422243358c8b18d30b38cab5b16

SHA256
a151df3adf31b8fe40da928f1664fac4e11d5a6e38598c83b7aef1f3bf2db899

SHA512
203fb0d2671d36492db9e7f889f9c80e16dd1faeac2f6e6ab65010756e0349a969a7802c59b2f50efbc01a5a29500f510455c37d87aae4891103f71a76f68b6c

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.9MB

MD5
95466f010bdc5693f86473f1ee2ab669

SHA1
e606e053369879bd42456eee1d1f39de4657141e

SHA256
d83db9e5f249eb749f5becce87380260302c52e49f51ce4446efef65c3f345a4

SHA512
0e9209a8c5cee8ab1160bcc1a1409928d7ade070b957dbc40ef94cc7ffcfca0668c37ff02aae83d33047340c15f6ca7ae7b3f055a67575797d510d89b09f5724

Download Submit
memory/408-497-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/408-313-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/800-200-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/800-227-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/952-179-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1516-236-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1516-209-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1568-297-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1588-180-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1616-319-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1616-608-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1740-100-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1740-131-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1808-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1808-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1808-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1808-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1808-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2060-334-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2060-831-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2084-142-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2120-190-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2296-0-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2296-33-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2296-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2296-2-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2296-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2348-121-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2352-199-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-284-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2388-327-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2388-719-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2392-265-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2392-237-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2400-172-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2400-143-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2524-254-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2556-218-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2556-189-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2580-246-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2636-160-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2652-277-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2684-333-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2684-298-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2716-285-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2716-320-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2740-386-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2740-306-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2764-74-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2764-49-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2764-45-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2764-44-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2856-326-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2856-291-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2928-42-0x0000000003400000-0x0000000003515000-memory.dmp

Filesize
1.1MB

Download
memory/2928-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-46-0x0000000000440000-0x000000000051F000-memory.dmp

Filesize
892KB

Download
memory/2928-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-271-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2948-300-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2988-118-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/2988-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-882-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/2988-132-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/2988-87-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/2988-136-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/2988-129-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/2988-335-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/2988-110-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/2988-98-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/2988-299-0x0000000003300000-0x0000000003415000-memory.dmp

Filesize
1.1MB

Download
memory/3024-312-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3024-278-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3036-120-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3036-88-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download