a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
118s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

TrashMalwares-main/NetPakoe.bat
Size

635B
MD5

6c5a9741a170d3ac2e2c89d3e91ea6ea
SHA1

7034266eefee8c6437d966f5d91ea82e50e10d59
SHA256

4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616
SHA512

9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exetaskkill.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.execmd.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeConhost.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	taskkill.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	Conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat	cmd.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
8856	64	WerFault.exe
7356	9640	WerFault.exe	cmd.exe
13228	13000	WerFault.exe
13020	6772	WerFault.exe	cmd.exe
13028	12536	WerFault.exe
7880	12460	WerFault.exe	dwm.exe
5284	3832	WerFault.exe	cmd.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exedwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
11572	taskkill.exe
8104	taskkill.exe
8572	taskkill.exe
10380	taskkill.exe
11980	taskkill.exe
12104	taskkill.exe
11244	taskkill.exe
7368	taskkill.exe
6772	taskkill.exe
7868	taskkill.exe
8220	taskkill.exe
10352	taskkill.exe
10632	taskkill.exe
6304	taskkill.exe
7240	taskkill.exe
11532	taskkill.exe
7408	taskkill.exe
6756	taskkill.exe
4920	taskkill.exe
6300	taskkill.exe
5648	taskkill.exe
7080	taskkill.exe
7512	taskkill.exe
8132	taskkill.exe
8420	taskkill.exe
10932	taskkill.exe
6188	taskkill.exe
9240	taskkill.exe
10452	taskkill.exe
8360	taskkill.exe
10388	taskkill.exe
9308	taskkill.exe
10640	taskkill.exe
5312	taskkill.exe
8284	taskkill.exe
10140	taskkill.exe
2316	taskkill.exe
10440	taskkill.exe
6108	taskkill.exe
1684	taskkill.exe
2536	taskkill.exe
6768	taskkill.exe
8404	taskkill.exe
11812	taskkill.exe
10964	taskkill.exe
10584	taskkill.exe
7252	taskkill.exe
5136	taskkill.exe
11476	taskkill.exe
11944	taskkill.exe
10360	taskkill.exe
8676	taskkill.exe
2692	taskkill.exe
6404	taskkill.exe
7832	taskkill.exe
10612	taskkill.exe
10444	taskkill.exe
7128	taskkill.exe
2128	taskkill.exe
8464	taskkill.exe
2212	taskkill.exe
3268	taskkill.exe
5864	taskkill.exe
1256	taskkill.exe

Modifies data under HKEY_USERS 36 IoCs

Processes:

dwm.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.execmd.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{8A367D91-CBF6-4329-AE24-ED2ABB958B6F}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{A3988848-604F-4626-96E1-AEA39194E675}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{78AFF901-9FF4-4525-B18D-99370946EF7D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{2674D955-9B48-49CF-97E4-96E14F3D14BF}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{4E8FFEF8-1F58-463C-8B03-8D1F2C685C56}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{35570209-C2BD-44FA-9322-650A1E3A7E6E}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{7187A0E8-FE8E-4983-AE77-15759B035C95}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{65A57B18-B157-46DA-ACF7-CC2A14528A5D}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{8E369A29-EA23-43A8-B65F-DBD43CE31264}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{2D5B39BE-B1DC-4128-B3EB-0E33A435A689}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{558C85AD-B57C-4B40-96F6-9B110035E1B7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{6691B836-77D4-4654-BB88-4DC17E14B369}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{98FBE856-CAEB-47E8-924D-180A15200868}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{A4E00649-F404-45D8-83CE-B5A5FC95ED3A}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{233A4BFA-423A-4334-A0D7-779A61ADD8C2}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
3352
3912
4028
11128
1820
2480
11808
12240
9496
11864
11868
11940
11924
9852
7856
12012
12092
5280
9832
2296
7472
2256
9856
3776
7508
4072
11220
5224
404
7880
4048
3744
1432
936
12196
9892
2708
4824
1960
5492
4452
3956
3368
8772
3936
5740
3256
5124
4920
8864
5936
5312
3748
12828
10132
5536
8868
5008
4120
5284
5360
10004
5732
12232

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeexplorer.exetaskkill.exetaskkill.exeexplorer.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeexplorer.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exeexplorer.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4964	taskkill.exe
Token: SeShutdownPrivilege	5112	explorer.exe
Token: SeCreatePagefilePrivilege	5112	explorer.exe
Token: SeShutdownPrivilege	5112	explorer.exe
Token: SeCreatePagefilePrivilege	5112	explorer.exe
Token: SeShutdownPrivilege	5112	explorer.exe
Token: SeCreatePagefilePrivilege	5112	explorer.exe
Token: SeShutdownPrivilege	5112	explorer.exe
Token: SeCreatePagefilePrivilege	5112	explorer.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeShutdownPrivilege	5112	explorer.exe
Token: SeCreatePagefilePrivilege	5112	explorer.exe
Token: SeShutdownPrivilege	3504	explorer.exe
Token: SeCreatePagefilePrivilege	3504	explorer.exe
Token: SeShutdownPrivilege	3504	explorer.exe
Token: SeCreatePagefilePrivilege	3504	explorer.exe
Token: SeShutdownPrivilege	3504	explorer.exe
Token: SeCreatePagefilePrivilege	3504	explorer.exe
Token: SeShutdownPrivilege	3504	explorer.exe
Token: SeCreatePagefilePrivilege	3504	explorer.exe
Token: SeShutdownPrivilege	3504	explorer.exe
Token: SeCreatePagefilePrivilege	3504	explorer.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeShutdownPrivilege	208	Conhost.exe
Token: SeCreatePagefilePrivilege	208	Conhost.exe
Token: SeShutdownPrivilege	208	Conhost.exe
Token: SeCreatePagefilePrivilege	208	Conhost.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	2536	Conhost.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeDebugPrivilege	3304	taskkill.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.execmd.exeexplorer.exe

pid	process
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
6288	explorer.exe
6288	explorer.exe
6288	explorer.exe
6288	explorer.exe
6288	explorer.exe
6288	explorer.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
6912	cmd.exe
6912	cmd.exe
6912	cmd.exe
6912	cmd.exe
6912	cmd.exe
6912	cmd.exe
7896	explorer.exe
7896	explorer.exe
7896	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
3504	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5508	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
5920	explorer.exe
6288	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4752 wrote to memory of 2640	4752	cmd.exe	taskkill.exe
PID 4752 wrote to memory of 2640	4752	cmd.exe	taskkill.exe
PID 4752 wrote to memory of 4964	4752	cmd.exe	taskkill.exe
PID 4752 wrote to memory of 4964	4752	cmd.exe	taskkill.exe
PID 4752 wrote to memory of 4604	4752	cmd.exe	cmd.exe
PID 4752 wrote to memory of 4604	4752	cmd.exe	cmd.exe
PID 4752 wrote to memory of 4596	4752	cmd.exe	cmd.exe
PID 4752 wrote to memory of 4596	4752	cmd.exe	cmd.exe
PID 4752 wrote to memory of 5112	4752	cmd.exe	explorer.exe
PID 4752 wrote to memory of 5112	4752	cmd.exe	explorer.exe
PID 4596 wrote to memory of 4664	4596	cmd.exe	taskkill.exe
PID 4596 wrote to memory of 4664	4596	cmd.exe	taskkill.exe
PID 4604 wrote to memory of 4624	4604	cmd.exe	taskkill.exe
PID 4604 wrote to memory of 4624	4604	cmd.exe	taskkill.exe
PID 4596 wrote to memory of 2708	4596	cmd.exe	taskkill.exe
PID 4596 wrote to memory of 2708	4596	cmd.exe	taskkill.exe
PID 4604 wrote to memory of 2380	4604	cmd.exe	taskkill.exe
PID 4604 wrote to memory of 2380	4604	cmd.exe	taskkill.exe
PID 4604 wrote to memory of 4276	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 4276	4604	cmd.exe	cmd.exe
PID 4596 wrote to memory of 4136	4596	cmd.exe	cmd.exe
PID 4596 wrote to memory of 4136	4596	cmd.exe	cmd.exe
PID 4604 wrote to memory of 4312	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 4312	4604	cmd.exe	cmd.exe
PID 4596 wrote to memory of 4420	4596	cmd.exe	cmd.exe
PID 4596 wrote to memory of 4420	4596	cmd.exe	cmd.exe
PID 4604 wrote to memory of 3504	4604	cmd.exe	explorer.exe
PID 4604 wrote to memory of 3504	4604	cmd.exe	explorer.exe
PID 4596 wrote to memory of 3380	4596	cmd.exe	explorer.exe
PID 4596 wrote to memory of 3380	4596	cmd.exe	explorer.exe
PID 4420 wrote to memory of 1496	4420	cmd.exe	taskkill.exe
PID 4420 wrote to memory of 1496	4420	cmd.exe	taskkill.exe
PID 4276 wrote to memory of 2600	4276	cmd.exe	taskkill.exe
PID 4276 wrote to memory of 2600	4276	cmd.exe	taskkill.exe
PID 4136 wrote to memory of 2536	4136	cmd.exe	Conhost.exe
PID 4136 wrote to memory of 2536	4136	cmd.exe	Conhost.exe
PID 4312 wrote to memory of 2456	4312	cmd.exe	taskkill.exe
PID 4312 wrote to memory of 2456	4312	cmd.exe	taskkill.exe
PID 4420 wrote to memory of 4448	4420	cmd.exe	taskkill.exe
PID 4420 wrote to memory of 4448	4420	cmd.exe	taskkill.exe
PID 4276 wrote to memory of 1256	4276	cmd.exe	taskkill.exe
PID 4276 wrote to memory of 1256	4276	cmd.exe	taskkill.exe
PID 4136 wrote to memory of 4264	4136	cmd.exe	taskkill.exe
PID 4136 wrote to memory of 4264	4136	cmd.exe	taskkill.exe
PID 4312 wrote to memory of 4888	4312	cmd.exe	taskkill.exe
PID 4312 wrote to memory of 4888	4312	cmd.exe	taskkill.exe
PID 4420 wrote to memory of 4316	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 4316	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 1112	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 1112	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 1808	4420	cmd.exe	explorer.exe
PID 4420 wrote to memory of 1808	4420	cmd.exe	explorer.exe
PID 4276 wrote to memory of 4240	4276	cmd.exe	cmd.exe
PID 4276 wrote to memory of 4240	4276	cmd.exe	cmd.exe
PID 4276 wrote to memory of 2360	4276	cmd.exe	cmd.exe
PID 4276 wrote to memory of 2360	4276	cmd.exe	cmd.exe
PID 4276 wrote to memory of 640	4276	cmd.exe	explorer.exe
PID 4276 wrote to memory of 640	4276	cmd.exe	explorer.exe
PID 1112 wrote to memory of 1048	1112	cmd.exe	taskkill.exe
PID 1112 wrote to memory of 1048	1112	cmd.exe	taskkill.exe
PID 4316 wrote to memory of 3040	4316	cmd.exe	taskkill.exe
PID 4316 wrote to memory of 3040	4316	cmd.exe	taskkill.exe
PID 4240 wrote to memory of 3472	4240	cmd.exe	taskkill.exe
PID 4240 wrote to memory of 3472	4240	cmd.exe	taskkill.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
2⤵
PID:2640

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\explorer.exe
explorer
2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
3⤵
PID:4664

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
3⤵
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
3⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
4⤵
PID:1496

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
4⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
5⤵
PID:3040

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
5⤵
- Drops startup file
PID:1508

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:5572

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:5136

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:7684

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:5324

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:4116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:2656

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:4824

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
9⤵
PID:9700

C:\Windows\system32\taskkill.exe
Taskkill /IM Taskmgr.exe /F
9⤵
- Kills process with taskkill
PID:11812

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:7764

C:\Windows\explorer.exe
explorer
8⤵
PID:9052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:9596

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:10440

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:6620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:12808

C:\Windows\explorer.exe
explorer
8⤵
PID:5132

C:\Windows\explorer.exe
explorer
7⤵
PID:10052

C:\Windows\explorer.exe
explorer
6⤵
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
- Drops startup file
PID:5404

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6492

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:6772

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:7648

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12036

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:7328

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:4936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6772 -s 576
8⤵
- Program crash
PID:13020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:9640

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:3204

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:10748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:10360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:11536

C:\Windows\explorer.exe
explorer
8⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:8200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9640 -s 560
8⤵
- Program crash
PID:7356

C:\Windows\explorer.exe
explorer
7⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:10080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
5⤵
PID:3240

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:6000

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6500

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:8048

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9204

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:8596

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:10956

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:10956

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:12864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:5868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:10220

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:11908

C:\Windows\explorer.exe
explorer
8⤵
PID:11188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:7308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:7544

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:8304

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:8556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
- Drops startup file
PID:5856

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
- Kills process with taskkill
PID:9240

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:7368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:11504

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:11476

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:10616

C:\Windows\explorer.exe
explorer
8⤵
PID:11812

C:\Windows\explorer.exe
explorer
7⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:7480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
- Drops startup file
PID:6032

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6356

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:6536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:8912

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:6120

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:9056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:7296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:10040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:9180

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:6404

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:9632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:1344

C:\Windows\explorer.exe
explorer
7⤵
PID:9048

C:\Windows\explorer.exe
explorer
6⤵
PID:4116

C:\Windows\explorer.exe
explorer
5⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
4⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
5⤵
PID:1048

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
5⤵
- Drops startup file
PID:4024

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:4280

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:5460

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6232

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:7208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5860

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:8284

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:9188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:11512

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:9660

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:8360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:11820

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:11540

C:\Windows\explorer.exe
explorer
9⤵
PID:12348

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:9792

C:\Windows\explorer.exe
explorer
8⤵
PID:1044

C:\Windows\explorer.exe
explorer
7⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:7996

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9100

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:10140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:6476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:11344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:5484

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:3688

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:7256

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:7240

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:8580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
- Drops startup file
PID:11144

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:8200

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:8404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
- Drops startup file
PID:3852

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:10324

C:\Windows\explorer.exe
explorer
9⤵
PID:12740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:992

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
10⤵
PID:1960

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
10⤵
PID:4280

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
10⤵
PID:2164

C:\Windows\system32\taskkill.exe
Taskkill /IM Taskmgr.exe /F
10⤵
PID:7700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
- Drops startup file
PID:10068

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
10⤵
PID:11252

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
10⤵
PID:6308

C:\Windows\explorer.exe
explorer
8⤵
PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:7552

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:7480

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:8104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:10676

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
- Kills process with taskkill
PID:11980

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
- Drops startup file
PID:11180

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:5908

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:9436

C:\Windows\explorer.exe
explorer
8⤵
PID:8076

C:\Windows\explorer.exe
explorer
7⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:7896

C:\Windows\explorer.exe
explorer
6⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
5⤵
PID:4692

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:4832

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:3404

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:7092

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:7144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:7264

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:10148

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:7324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:11284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:8096

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:10064

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:8572

C:\Windows\explorer.exe
explorer
8⤵
PID:4060

C:\Windows\explorer.exe
explorer
7⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:8504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
- Drops startup file
PID:5968

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6680

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:7188

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9548

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:10872

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:10444

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:10316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:7216

C:\Windows\explorer.exe
explorer
8⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:7740

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9792

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:8464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:1264

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:12108

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:1156

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
- Kills process with taskkill
PID:10388

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:11560

C:\Windows\explorer.exe
explorer
8⤵
PID:8836

C:\Windows\explorer.exe
explorer
7⤵
PID:8084

C:\Windows\explorer.exe
explorer
6⤵
PID:5452

C:\Windows\explorer.exe
explorer
5⤵
PID:4920

C:\Windows\explorer.exe
explorer
4⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
4⤵
- Kills process with taskkill
PID:2536

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
4⤵
- Drops startup file
PID:3952

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
5⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
5⤵
- Drops startup file
PID:4232

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:5344

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:6728

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:7216

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:8116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:8808

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:7912

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10684

C:\Windows\explorer.exe
explorer
8⤵
PID:11424

C:\Windows\explorer.exe
explorer
7⤵
PID:9952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:9404

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:10196

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:6788

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6748

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:8096

C:\Windows\explorer.exe
explorer
7⤵
PID:10036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:9540

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:8640

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:9668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:9660

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:9764

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:5008

C:\Windows\explorer.exe
explorer
9⤵
PID:6552

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:8252

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:10096

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
9⤵
PID:11196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:7324

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:9892

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:5964

C:\Windows\explorer.exe
explorer
8⤵
PID:11500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:9492

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:10152

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:6604

C:\Windows\explorer.exe
explorer
6⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
5⤵
PID:3924

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:5752

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:6724

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:7792

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:10844

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:9820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:10584

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:8772

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12360

C:\Windows\explorer.exe
explorer
8⤵
PID:13100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:932

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:11572

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:544

C:\Windows\explorer.exe
explorer
7⤵
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:6504

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:7352

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:8436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:10732

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:12104

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:3440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:7596

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:9948

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:12612

C:\Windows\explorer.exe
explorer
8⤵
PID:13092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
- Drops startup file
PID:12452

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:9340

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:10384

C:\Windows\explorer.exe
explorer
9⤵
PID:11236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:9460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:9476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:11116

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
- Drops startup file
PID:1108

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:10124

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:5652

C:\Windows\explorer.exe
explorer
8⤵
PID:12700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:11196

C:\Windows\explorer.exe
explorer
7⤵
PID:2656

C:\Windows\explorer.exe
explorer
6⤵
PID:7400

C:\Windows\explorer.exe
explorer
5⤵
PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
4⤵
- Drops startup file
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
5⤵
PID:1836

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
5⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
5⤵
- Drops startup file
PID:4684

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:5432

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:6256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:6680

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
- Kills process with taskkill
PID:7832

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:8136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:3436

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:13120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:8248

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:10452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:12852

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:2296

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:5428

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:8896

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
9⤵
PID:7432

C:\Windows\explorer.exe
explorer
8⤵
PID:11952

C:\Windows\explorer.exe
explorer
7⤵
PID:11280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:5456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:6500

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:7112

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7800

C:\Windows\explorer.exe
explorer
7⤵
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:8044

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:10220

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:12080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:8816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:5032

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:2576

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:12228

C:\Windows\explorer.exe
explorer
8⤵
PID:10432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:2952

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:10336

C:\Windows\explorer.exe
explorer
6⤵
PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
5⤵
- Drops startup file
PID:3324

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
- Kills process with taskkill
PID:5312

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:6844

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:5864

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:8628

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:2964

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10168

C:\Windows\explorer.exe
explorer
8⤵
PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
- Drops startup file
PID:8348

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:7316

C:\Windows\explorer.exe
explorer
9⤵
PID:11992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:11752

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:13180

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:4868

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
9⤵
PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:9024

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:6128

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:11260

C:\Windows\explorer.exe
explorer
7⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
- Drops startup file
PID:7156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
- Kills process with taskkill
PID:7868

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
- Kills process with taskkill
PID:6300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:9648

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:8496

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:9192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:3272

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:7840

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:12744

C:\Windows\explorer.exe
explorer
8⤵
PID:10356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:10088

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:10512

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:6628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
- Drops startup file
PID:12312

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:10288

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:8100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12964

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:8152

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:5836

C:\Windows\explorer.exe
explorer
7⤵
PID:9848

C:\Windows\explorer.exe
explorer
6⤵
PID:5824

C:\Windows\explorer.exe
explorer
5⤵
PID:640

C:\Windows\explorer.exe
explorer
4⤵
PID:8

C:\Windows\explorer.exe
explorer
3⤵
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
3⤵
PID:4624

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
4⤵
PID:2600

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
5⤵
PID:3472

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
5⤵
PID:4416

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:1308

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
- Drops startup file
PID:5684

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:5680

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:6876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:7920

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:8084

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
- Drops startup file
PID:11048

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:7324

C:\Windows\explorer.exe
explorer
9⤵
PID:12756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:1040

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
10⤵
PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:3832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3832 -s 540
10⤵
- Program crash
PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:5056

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:8760

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:3724

C:\Windows\explorer.exe
explorer
9⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:13056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:12352

C:\Windows\explorer.exe
explorer
10⤵
PID:4680

C:\Windows\explorer.exe
explorer
8⤵
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:8156

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:5136

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:8248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:11520

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:8760

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:9308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:13156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:13180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
- Drops startup file
PID:11828

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
- Kills process with taskkill
PID:11532

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:10632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:9944

C:\Windows\explorer.exe
explorer
9⤵
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:4500

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:3752

C:\Windows\explorer.exe
explorer
8⤵
PID:11996

C:\Windows\explorer.exe
explorer
7⤵
PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:5876

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
- Kills process with taskkill
PID:7080

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:8428

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:7980

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:10764

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
- Kills process with taskkill
PID:7252

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:5864

C:\Windows\explorer.exe
explorer
8⤵
PID:10896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:8704

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:8220

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:10360

C:\Windows\explorer.exe
explorer
8⤵
PID:13040

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
8⤵
PID:12268

C:\Windows\explorer.exe
explorer.exe
8⤵
PID:12616

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
8⤵
- Kills process with taskkill
PID:6756

C:\Windows\explorer.exe
explorer
7⤵
PID:9052

C:\Windows\explorer.exe
explorer
6⤵
- Modifies Installed Components in the registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
5⤵
PID:4988

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:3492

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:6568

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:7248

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
- Kills process with taskkill
PID:8132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:1252

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9944

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:10052

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:9808

C:\Windows\explorer.exe
explorer
8⤵
PID:12952

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
8⤵
PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:9500

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:10380

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12692

C:\Windows\explorer.exe
explorer
8⤵
PID:12844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:924

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:2196

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:10964

C:\Windows\explorer.exe
explorer
7⤵
PID:10020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:6376

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6672

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:9108

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:6124

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:4364

C:\Windows\explorer.exe
explorer
8⤵
PID:13108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:8884

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:8676

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:12816

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:6276

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:8744

C:\Windows\explorer.exe
explorer
9⤵
PID:12628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:10408

C:\Windows\explorer.exe
explorer
7⤵
PID:9880

C:\Windows\explorer.exe
explorer
6⤵
PID:6764

C:\Windows\explorer.exe
explorer
5⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
4⤵
- Drops startup file
PID:2360

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
5⤵
PID:1292

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
5⤵
- Drops startup file
PID:4700

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:4688

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:6088

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
- Kills process with taskkill
PID:6188

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:8620

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:6404

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:9956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:7916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:8988

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9104

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10764

C:\Windows\explorer.exe
explorer
8⤵
PID:7708

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
8⤵
PID:7696

C:\Windows\explorer.exe
explorer.exe
8⤵
PID:12360

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
8⤵
- Kills process with taskkill
PID:2692

C:\Windows\explorer.exe
explorer
7⤵
PID:8420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:5480

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6488

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
- Kills process with taskkill
PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:6880

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:8420

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:6716

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
- Kills process with taskkill
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:12860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:12912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:8052

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
- Kills process with taskkill
PID:11244

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:11800

C:\Windows\explorer.exe
explorer
8⤵
PID:11304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:6776

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:5260

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
- Drops startup file
PID:10160

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:9856

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:4920

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:8204

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
9⤵
PID:8508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:10424

C:\Windows\explorer.exe
explorer
7⤵
PID:8512

C:\Windows\explorer.exe
explorer
6⤵
- Modifies Installed Components in the registry
PID:6164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
5⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:3932

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:1836

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
- Kills process with taskkill
PID:6304

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:7772

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:5540

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:7512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
- Drops startup file
PID:10836

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:8840

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:8360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:11948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:12304

C:\Windows\explorer.exe
explorer
9⤵
PID:12944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
- Drops startup file
PID:6292

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:10484

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:10668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:5412

C:\Windows\explorer.exe
explorer
9⤵
PID:8772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:6444

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:10252

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:6852

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
9⤵
- Kills process with taskkill
PID:11944

C:\Windows\explorer.exe
explorer
8⤵
PID:10936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:8060

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:6228

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:9212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
PID:10756

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
- Kills process with taskkill
PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
9⤵
PID:9072

C:\Windows\explorer.exe
explorer
9⤵
PID:9144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
9⤵
PID:9132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:11328

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
9⤵
- Modifies Installed Components in the registry
PID:5908

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
9⤵
PID:11872

C:\Windows\explorer.exe
explorer
8⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:11748

C:\Windows\explorer.exe
explorer
7⤵
PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:5472

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6968

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
- Kills process with taskkill
PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:8736

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:8380

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:10352

C:\Windows\explorer.exe
explorer
8⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:9064

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:5252

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:8584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:9952

C:\Windows\explorer.exe
explorer
8⤵
PID:12268

C:\Windows\explorer.exe
explorer
7⤵
PID:4756

C:\Windows\explorer.exe
explorer
6⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6288

C:\Windows\explorer.exe
explorer
5⤵
PID:3092

C:\Windows\explorer.exe
explorer
4⤵
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
4⤵
PID:2456

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
4⤵
PID:2640

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
5⤵
PID:936

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
5⤵
PID:3708

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:5568

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
- Kills process with taskkill
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:6760

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6772

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:7952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:10652

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:6948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:8380

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:11476

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:10584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:12972

C:\Windows\explorer.exe
explorer
7⤵
PID:10580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
- Drops startup file
PID:6188

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:7060

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:8520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:3812

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:10632

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:11628

C:\Windows\explorer.exe
explorer
7⤵
PID:8516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:11160

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:10252

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:11552

C:\Windows\explorer.exe
explorer
6⤵
PID:7308

C:\Windows\explorer.exe
explorer
5⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
5⤵
PID:4564

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:4016

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:6644

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:5680

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:8716

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:8676

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:7324

C:\Windows\explorer.exe
explorer
8⤵
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:9136

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9668

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:8516

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:12680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:1312

C:\Windows\explorer.exe
explorer
8⤵
PID:12936

C:\Windows\explorer.exe
explorer
7⤵
PID:9200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:6960

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6708

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
- Kills process with taskkill
PID:7512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:9424

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:10260

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:6604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:10064

C:\Windows\explorer.exe
explorer
8⤵
PID:10760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:9980

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:10640

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
- Kills process with taskkill
PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:11280

C:\Windows\explorer.exe
explorer
8⤵
PID:8784

C:\Windows\explorer.exe
explorer
7⤵
PID:8756

C:\Windows\explorer.exe
explorer
6⤵
PID:6216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
4⤵
PID:2556

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
5⤵
PID:4184

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
5⤵
- Drops startup file
PID:4880

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:5288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:6488

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
- Drops startup file
PID:5288

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:7132

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:6996

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:8020

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:12244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:13128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
- Drops startup file
PID:3044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:6944

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9444

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:8284

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
8⤵
PID:12764

C:\Windows\explorer.exe
explorer
7⤵
PID:8484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:6056

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6768

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7264

C:\Windows\explorer.exe
explorer
6⤵
PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
5⤵
- Drops startup file
PID:3916

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
6⤵
PID:5324

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
6⤵
PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
6⤵
PID:5188

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:6396

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
PID:7548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
PID:8548

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:10932

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:10548

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:11788

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:8468

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
9⤵
PID:3940

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:11172

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
9⤵
PID:10664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12544

C:\Windows\explorer.exe
explorer
8⤵
PID:12784

C:\Windows\explorer.exe
explorer
7⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:10972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
6⤵
PID:5420

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
7⤵
PID:7216

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
7⤵
- Kills process with taskkill
PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
7⤵
- Drops startup file
PID:7060

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
PID:9268

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:11436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:536

C:\Windows\explorer.exe
explorer
8⤵
PID:12928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
7⤵
PID:9100

C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
8⤵
- Kills process with taskkill
PID:10612

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
8⤵
PID:10056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
8⤵
PID:12956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
8⤵
PID:12940

C:\Windows\explorer.exe
explorer
8⤵
PID:9904

C:\Windows\system32\shutdown.exe
shutdown -s -t 60
8⤵
PID:3824

C:\Windows\explorer.exe
explorer.exe
8⤵
PID:6872

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
8⤵
PID:10252

C:\Windows\system32\taskkill.exe
Taskkill /IM csrss.exe /F
8⤵
PID:8828

C:\Windows\explorer.exe
explorer
7⤵
PID:9264

C:\Windows\explorer.exe
explorer
6⤵
PID:7184

C:\Windows\explorer.exe
explorer
5⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3576

C:\Windows\explorer.exe
explorer
4⤵
PID:208

C:\Windows\explorer.exe
explorer
3⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:10348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 64 -ip 64
1⤵
PID:10452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 64 -s 4728
1⤵
- Program crash
PID:8856

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:8508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:11244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:10580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:9848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 8508 -ip 8508
1⤵
PID:13220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:12228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13000 -s 292
1⤵
- Program crash
PID:13228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 12536 -s 400
1⤵
- Program crash
PID:13028

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:12460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 12460 -s 6436
2⤵
- Program crash
PID:7880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 12460 -ip 12460
1⤵
PID:5332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 11172 -ip 11172
1⤵
PID:8204

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:8876

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:10104

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3516

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1652

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3832 -ip 3832
1⤵
PID:4176

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4052

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:6284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:11596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
Filesize
635B

MD5
6c5a9741a170d3ac2e2c89d3e91ea6ea

SHA1
7034266eefee8c6437d966f5d91ea82e50e10d59

SHA256
4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616

SHA512
9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c

Download Submit
memory/8-183-0x0000000000000000-mapping.dmp

Download
memory/208-182-0x0000000000000000-mapping.dmp

Download
memory/448-184-0x0000000000000000-mapping.dmp

Download
memory/640-166-0x0000000000000000-mapping.dmp

Download
memory/936-190-0x0000000000000000-mapping.dmp

Download
memory/1048-168-0x0000000000000000-mapping.dmp

Download
memory/1112-162-0x0000000000000000-mapping.dmp

Download
memory/1256-158-0x0000000000000000-mapping.dmp

Download
memory/1292-175-0x0000000000000000-mapping.dmp

Download
memory/1304-210-0x0000000000000000-mapping.dmp

Download
memory/1496-193-0x0000000000000000-mapping.dmp

Download
memory/1496-150-0x0000000000000000-mapping.dmp

Download
memory/1508-201-0x0000000000000000-mapping.dmp

Download
memory/1568-181-0x0000000000000000-mapping.dmp

Download
memory/1808-163-0x0000000000000000-mapping.dmp

Download
memory/1836-192-0x0000000000000000-mapping.dmp

Download
memory/2128-177-0x0000000000000000-mapping.dmp

Download
memory/2360-165-0x0000000000000000-mapping.dmp

Download
memory/2380-142-0x0000000000000000-mapping.dmp

Download
memory/2456-156-0x0000000000000000-mapping.dmp

Download
memory/2536-154-0x0000000000000000-mapping.dmp

Download
memory/2536-196-0x0000000000000000-mapping.dmp

Download
memory/2556-179-0x0000000000000000-mapping.dmp

Download
memory/2600-152-0x0000000000000000-mapping.dmp

Download
memory/2600-195-0x0000000000000000-mapping.dmp

Download
memory/2640-132-0x0000000000000000-mapping.dmp

Download
memory/2640-178-0x0000000000000000-mapping.dmp

Download
memory/2708-189-0x0000000000000000-mapping.dmp

Download
memory/2708-141-0x0000000000000000-mapping.dmp

Download
memory/3040-170-0x0000000000000000-mapping.dmp

Download
memory/3240-203-0x0000000000000000-mapping.dmp

Download
memory/3380-148-0x0000000000000000-mapping.dmp

Download
memory/3472-172-0x0000000000000000-mapping.dmp

Download
memory/3504-147-0x0000000000000000-mapping.dmp

Download
memory/3544-174-0x0000000000000000-mapping.dmp

Download
memory/3952-176-0x0000000000000000-mapping.dmp

Download
memory/4024-197-0x0000000000000000-mapping.dmp

Download
memory/4112-204-0x0000000000000000-mapping.dmp

Download
memory/4136-144-0x0000000000000000-mapping.dmp

Download
memory/4184-187-0x0000000000000000-mapping.dmp

Download
memory/4240-164-0x0000000000000000-mapping.dmp

Download
memory/4264-159-0x0000000000000000-mapping.dmp

Download
memory/4276-143-0x0000000000000000-mapping.dmp

Download
memory/4280-206-0x0000000000000000-mapping.dmp

Download
memory/4312-145-0x0000000000000000-mapping.dmp

Download
memory/4316-161-0x0000000000000000-mapping.dmp

Download
memory/4332-194-0x0000000000000000-mapping.dmp

Download
memory/4416-200-0x0000000000000000-mapping.dmp

Download
memory/4420-146-0x0000000000000000-mapping.dmp

Download
memory/4448-157-0x0000000000000000-mapping.dmp

Download
memory/4544-180-0x0000000000000000-mapping.dmp

Download
memory/4596-135-0x0000000000000000-mapping.dmp

Download
memory/4604-134-0x0000000000000000-mapping.dmp

Download
memory/4624-140-0x0000000000000000-mapping.dmp

Download
memory/4664-138-0x0000000000000000-mapping.dmp

Download
memory/4692-198-0x0000000000000000-mapping.dmp

Download
memory/4700-207-0x0000000000000000-mapping.dmp

Download
memory/4764-208-0x0000000000000000-mapping.dmp

Download
memory/4832-211-0x0000000000000000-mapping.dmp

Download
memory/4888-160-0x0000000000000000-mapping.dmp

Download
memory/4920-199-0x0000000000000000-mapping.dmp

Download
memory/4964-133-0x0000000000000000-mapping.dmp

Download
memory/4988-202-0x0000000000000000-mapping.dmp

Download
memory/5112-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads