Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 03:45
Behavioral task
behavioral1
Sample
68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
68c26299729c5c66edf3d841a8139aa0
-
SHA1
f314d0a653faac272a9b5621d6bd028e17f0fd82
-
SHA256
9e133e1fd92c296c2ddf21e2d729098bd74e4846a8add46a9abeb133cbf0f6ea
-
SHA512
e1b4b1cb869882ba42bf943e6ff1427ef0d60613be9c4b89f4ccd7b8d465d41f64a2db90c2f3272a786d91118234d65e58273bf3353f920e0e076df7d6c452ed
-
SSDEEP
24576:eTy7ASmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHK:eTy7ASmw4gxeOw46fUbNecCCFbNec1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000015cf0-84.dat warzonerat behavioral1/files/0x0008000000015cc7-163.dat warzonerat behavioral1/files/0x0008000000015d02-179.dat warzonerat -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 29 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 1744 explorer.exe 2416 explorer.exe 1824 explorer.exe 1804 spoolsv.exe 1748 spoolsv.exe 296 spoolsv.exe 2276 spoolsv.exe 2784 spoolsv.exe 2756 spoolsv.exe 2552 spoolsv.exe 2472 spoolsv.exe 1052 spoolsv.exe 1276 spoolsv.exe 1636 spoolsv.exe 2076 spoolsv.exe 1872 spoolsv.exe 1800 spoolsv.exe 2304 spoolsv.exe 2616 spoolsv.exe 1616 spoolsv.exe 1612 spoolsv.exe 2452 spoolsv.exe 2560 spoolsv.exe 2888 spoolsv.exe 1948 spoolsv.exe 2508 spoolsv.exe 2520 spoolsv.exe 2380 spoolsv.exe 1492 spoolsv.exe 1356 spoolsv.exe 2152 spoolsv.exe 2716 spoolsv.exe 1696 spoolsv.exe 1624 spoolsv.exe 2964 spoolsv.exe 2564 spoolsv.exe 1072 spoolsv.exe 1844 spoolsv.exe 548 spoolsv.exe 896 spoolsv.exe 572 spoolsv.exe 2080 spoolsv.exe 2400 spoolsv.exe 672 spoolsv.exe 1544 spoolsv.exe 2220 spoolsv.exe 876 spoolsv.exe 2464 spoolsv.exe 2160 spoolsv.exe 2648 spoolsv.exe 3016 spoolsv.exe 1032 spoolsv.exe 1844 spoolsv.exe 2292 spoolsv.exe 2384 spoolsv.exe 2156 spoolsv.exe 1668 spoolsv.exe 1524 spoolsv.exe 1464 spoolsv.exe 2976 spoolsv.exe 2972 spoolsv.exe 2536 spoolsv.exe 2700 spoolsv.exe 2992 spoolsv.exe -
Loads dropped DLL 64 IoCs
pid Process 1704 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 1704 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 1824 explorer.exe 1824 explorer.exe 1804 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 296 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2784 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2552 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 1052 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 1636 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 1872 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2304 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 1616 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2452 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2888 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2508 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2380 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 1356 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2716 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 1624 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2564 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 1844 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 896 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2080 spoolsv.exe 1824 explorer.exe 1824 explorer.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" spoolsv.exe -
Suspicious use of SetThreadContext 58 IoCs
description pid Process procid_target PID 2960 set thread context of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 1752 set thread context of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 set thread context of 2832 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 32 PID 1744 set thread context of 2416 1744 explorer.exe 36 PID 2416 set thread context of 1824 2416 explorer.exe 39 PID 2416 set thread context of 2036 2416 explorer.exe 40 PID 1804 set thread context of 1748 1804 spoolsv.exe 44 PID 296 set thread context of 2276 296 spoolsv.exe 48 PID 2784 set thread context of 2756 2784 spoolsv.exe 51 PID 2552 set thread context of 2472 2552 spoolsv.exe 55 PID 1052 set thread context of 1276 1052 spoolsv.exe 58 PID 1636 set thread context of 2076 1636 spoolsv.exe 62 PID 1872 set thread context of 1800 1872 spoolsv.exe 66 PID 2304 set thread context of 2616 2304 spoolsv.exe 70 PID 1616 set thread context of 1612 1616 spoolsv.exe 74 PID 2452 set thread context of 2560 2452 spoolsv.exe 78 PID 2888 set thread context of 1948 2888 spoolsv.exe 82 PID 2508 set thread context of 2520 2508 spoolsv.exe 86 PID 2380 set thread context of 1492 2380 spoolsv.exe 90 PID 1356 set thread context of 2152 1356 spoolsv.exe 94 PID 2716 set thread context of 1696 2716 spoolsv.exe 98 PID 1624 set thread context of 2964 1624 spoolsv.exe 102 PID 2564 set thread context of 1072 2564 spoolsv.exe 106 PID 1844 set thread context of 548 1844 spoolsv.exe 110 PID 896 set thread context of 572 896 spoolsv.exe 114 PID 2080 set thread context of 2400 2080 spoolsv.exe 118 PID 2220 set thread context of 876 2220 spoolsv.exe 126 PID 2464 set thread context of 2160 2464 spoolsv.exe 130 PID 2648 set thread context of 3016 2648 spoolsv.exe 134 PID 1032 set thread context of 1844 1032 spoolsv.exe 138 PID 2292 set thread context of 2384 2292 spoolsv.exe 142 PID 2156 set thread context of 1668 2156 spoolsv.exe 146 PID 1524 set thread context of 1464 1524 spoolsv.exe 150 PID 2976 set thread context of 2972 2976 spoolsv.exe 154 PID 2536 set thread context of 2700 2536 spoolsv.exe 158 PID 2992 set thread context of 1040 2992 spoolsv.exe 162 PID 2024 set thread context of 1808 2024 spoolsv.exe 166 PID 1952 set thread context of 584 1952 spoolsv.exe 170 PID 2368 set thread context of 2176 2368 spoolsv.exe 174 PID 1748 set thread context of 2752 1748 spoolsv.exe 178 PID 1748 set thread context of 2200 1748 spoolsv.exe 179 PID 2808 set thread context of 2676 2808 spoolsv.exe 182 PID 1980 set thread context of 2828 1980 explorer.exe 184 PID 2276 set thread context of 1676 2276 spoolsv.exe 185 PID 2276 set thread context of 1052 2276 spoolsv.exe 186 PID 2756 set thread context of 320 2756 spoolsv.exe 193 PID 2756 set thread context of 568 2756 spoolsv.exe 194 PID 1780 set thread context of 1132 1780 spoolsv.exe 195 PID 1860 set thread context of 2908 1860 spoolsv.exe 200 PID 2408 set thread context of 2480 2408 explorer.exe 198 PID 2472 set thread context of 2552 2472 spoolsv.exe 202 PID 2472 set thread context of 2556 2472 spoolsv.exe 203 PID 1276 set thread context of 1744 1276 spoolsv.exe 204 PID 1276 set thread context of 2208 1276 spoolsv.exe 206 PID 2708 set thread context of 2608 2708 spoolsv.exe 211 PID 2076 set thread context of 1772 2076 spoolsv.exe 212 PID 2076 set thread context of 380 2076 spoolsv.exe 213 PID 764 set thread context of 1932 764 explorer.exe 214 -
Drops file in Windows directory 44 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 1704 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 1744 explorer.exe 1804 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 296 spoolsv.exe 1824 explorer.exe 2784 spoolsv.exe 1824 explorer.exe 2552 spoolsv.exe 1824 explorer.exe 1052 spoolsv.exe 1824 explorer.exe 1636 spoolsv.exe 1824 explorer.exe 1872 spoolsv.exe 1824 explorer.exe 2304 spoolsv.exe 1824 explorer.exe 1616 spoolsv.exe 1824 explorer.exe 2452 spoolsv.exe 1824 explorer.exe 2888 spoolsv.exe 1824 explorer.exe 2508 spoolsv.exe 1824 explorer.exe 2380 spoolsv.exe 1824 explorer.exe 1356 spoolsv.exe 1824 explorer.exe 2716 spoolsv.exe 1824 explorer.exe 1624 spoolsv.exe 1824 explorer.exe 2564 spoolsv.exe 1824 explorer.exe 1844 spoolsv.exe 1824 explorer.exe 896 spoolsv.exe 1824 explorer.exe 2080 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 2220 spoolsv.exe 1824 explorer.exe 2464 spoolsv.exe 1824 explorer.exe 2648 spoolsv.exe 1824 explorer.exe 1032 spoolsv.exe 1824 explorer.exe 2292 spoolsv.exe 1824 explorer.exe 2156 spoolsv.exe 1824 explorer.exe 1524 spoolsv.exe 1824 explorer.exe 2976 spoolsv.exe 1824 explorer.exe 2536 spoolsv.exe 1824 explorer.exe 2992 spoolsv.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 1704 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 1704 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 1744 explorer.exe 1744 explorer.exe 1824 explorer.exe 1824 explorer.exe 1804 spoolsv.exe 1804 spoolsv.exe 1824 explorer.exe 1824 explorer.exe 296 spoolsv.exe 296 spoolsv.exe 2784 spoolsv.exe 2784 spoolsv.exe 2552 spoolsv.exe 2552 spoolsv.exe 1052 spoolsv.exe 1052 spoolsv.exe 1636 spoolsv.exe 1636 spoolsv.exe 1872 spoolsv.exe 1872 spoolsv.exe 2304 spoolsv.exe 2304 spoolsv.exe 1616 spoolsv.exe 1616 spoolsv.exe 2452 spoolsv.exe 2452 spoolsv.exe 2888 spoolsv.exe 2888 spoolsv.exe 2508 spoolsv.exe 2508 spoolsv.exe 2380 spoolsv.exe 2380 spoolsv.exe 1356 spoolsv.exe 1356 spoolsv.exe 2716 spoolsv.exe 2716 spoolsv.exe 1624 spoolsv.exe 1624 spoolsv.exe 2564 spoolsv.exe 2564 spoolsv.exe 1844 spoolsv.exe 1844 spoolsv.exe 896 spoolsv.exe 896 spoolsv.exe 2080 spoolsv.exe 2080 spoolsv.exe 2220 spoolsv.exe 2220 spoolsv.exe 2464 spoolsv.exe 2464 spoolsv.exe 2648 spoolsv.exe 2648 spoolsv.exe 1032 spoolsv.exe 1032 spoolsv.exe 2292 spoolsv.exe 2292 spoolsv.exe 2156 spoolsv.exe 2156 spoolsv.exe 1524 spoolsv.exe 1524 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 3068 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 28 PID 2960 wrote to memory of 3068 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 28 PID 2960 wrote to memory of 3068 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 28 PID 2960 wrote to memory of 3068 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 28 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 2960 wrote to memory of 1752 2960 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 30 PID 1752 wrote to memory of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 wrote to memory of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 wrote to memory of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 wrote to memory of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 wrote to memory of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 wrote to memory of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 wrote to memory of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 wrote to memory of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 wrote to memory of 1704 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 31 PID 1752 wrote to memory of 2832 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 32 PID 1752 wrote to memory of 2832 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 32 PID 1752 wrote to memory of 2832 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 32 PID 1752 wrote to memory of 2832 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 32 PID 1752 wrote to memory of 2832 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 32 PID 1752 wrote to memory of 2832 1752 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 32 PID 1704 wrote to memory of 1744 1704 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 33 PID 1704 wrote to memory of 1744 1704 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 33 PID 1704 wrote to memory of 1744 1704 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 33 PID 1704 wrote to memory of 1744 1704 68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe 33 PID 1744 wrote to memory of 1808 1744 explorer.exe 34 PID 1744 wrote to memory of 1808 1744 explorer.exe 34 PID 1744 wrote to memory of 1808 1744 explorer.exe 34 PID 1744 wrote to memory of 1808 1744 explorer.exe 34 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36 PID 1744 wrote to memory of 2416 1744 explorer.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"2⤵
- Drops startup file
PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\68c26299729c5c66edf3d841a8139aa0_NeikiAnalytics.exe3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"5⤵
- Drops startup file
PID:1808
-
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2416 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1824 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2028
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1748 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:2752
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"11⤵PID:1584
-
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:2828
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:2200
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2716
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2276 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:1676
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"11⤵
- Drops startup file
PID:1728
-
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:2480
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:1052
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:1768
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:320
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:568
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2600
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2472 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:2552
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:2556
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:1844
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1276 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:1744
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"11⤵
- Drops startup file
PID:1568
-
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:1932
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:2208
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2384
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:1772
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:380
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:1668
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1800 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:2008
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:2376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"11⤵PID:784
-
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:1996
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:1552
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2512
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2616 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:2572
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:1012
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2424
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:2656
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:1064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"11⤵PID:1432
-
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:1640
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:1836
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:1072
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2560 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe9⤵PID:1972
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"9⤵PID:3052
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2880
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1948
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:376
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2520
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2056
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1492
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2376
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2152
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:1736
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1696
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2736
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2544
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1072
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2212
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:548
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:1132
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:572
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:408
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2400
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:1764
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2012
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:932
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2160
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2552
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:3016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:316
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1844
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:1268
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2384
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:536
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1668
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:3052
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:1464
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2432
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2972
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2556
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:2700
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2180
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:1040
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2604
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:1808
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:1048
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:584
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2080
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:2176
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2696
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:2676
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:2584
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:1132
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:816
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:2908
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
PID:768
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:2608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:1524
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:3056
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2864
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:1108
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2392
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:2220
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2816
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"6⤵PID:2036
-
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"3⤵PID:2832
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD568c26299729c5c66edf3d841a8139aa0
SHA1f314d0a653faac272a9b5621d6bd028e17f0fd82
SHA2569e133e1fd92c296c2ddf21e2d729098bd74e4846a8add46a9abeb133cbf0f6ea
SHA512e1b4b1cb869882ba42bf943e6ff1427ef0d60613be9c4b89f4ccd7b8d465d41f64a2db90c2f3272a786d91118234d65e58273bf3353f920e0e076df7d6c452ed
-
Filesize
92B
MD513222a4bb413aaa8b92aa5b4f81d2760
SHA1268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140
-
Filesize
93B
MD58445bfa5a278e2f068300c604a78394b
SHA19fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA2565ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA5128ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822
-
Filesize
2.9MB
MD5fc733857da0dacac4d6e87d9e17e66c7
SHA10e0f2a193ea9a29748f91f0ce833067fd461f9d5
SHA256f893e6f2d376ac7345c93132dbd7eea925330d7ffb2b0f3b8143a5797d8ecb37
SHA512c63cfccace9dd23a5991dd6a61223ac17b72c670c6a3c804b4c6cb0901b0e98749fa892b6ca055d54390675bd7ad0cfdabe0e6d8b6339ca94ad58a27d17176cc
-
Filesize
2.9MB
MD52a8e4169cb226bd71ee3b22f631428ae
SHA1a53a6a21ba62edc05bfdebda8e5e287299e5d67b
SHA25699fdd8bb2399de3be110283216f67f112e0bc579cf2e0388a1a1a161edb78e17
SHA51290525876b1a9e45813d4152ddaca62f0a93a72ed0b13513625711e7b039f04cb554f10b8a00a0e3e56b80821ef8c58ed66bee8540fa2dac491a3c063bb22561a