warzonerat | 0c6cf73f1c2c725cfc92f37bc86b42297ed8b56925e3b98777c4c725ea2de09d

Analysis

max time kernel
149s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
Size

2.9MB
MD5

38a6e4938faefdf4d99779a81642d5a0
SHA1

3202d0586d9f2646f68b06d456ecd5970147387f
SHA256

0c6cf73f1c2c725cfc92f37bc86b42297ed8b56925e3b98777c4c725ea2de09d
SHA512

b8e6f66e11b88b70e44b1ccf91e4c557bf69f8c5eb945b50f1603f05aae80a2fcbb495f29bcc01e9b4091cb80231e8a43d93da5ec96867358d734c69d415868e
SSDEEP

24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHL:7v97AXmw4gxeOw46fUbNecCCFbNecW

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 33 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2396	explorer.exe
1044	explorer.exe
1008	explorer.exe
2920	spoolsv.exe
1468	spoolsv.exe
1748	spoolsv.exe
1904	spoolsv.exe
2844	spoolsv.exe
2576	spoolsv.exe
1488	spoolsv.exe
1676	spoolsv.exe
4140	spoolsv.exe
2448	spoolsv.exe
744	spoolsv.exe
2848	spoolsv.exe
5100	spoolsv.exe
3800	spoolsv.exe
2264	spoolsv.exe
4680	spoolsv.exe
2832	spoolsv.exe
372	spoolsv.exe
5076	spoolsv.exe
5020	spoolsv.exe
4864	spoolsv.exe
4376	spoolsv.exe
4360	spoolsv.exe
3384	spoolsv.exe
1400	spoolsv.exe
3832	spoolsv.exe
4648	spoolsv.exe
3964	spoolsv.exe
4332	spoolsv.exe
2388	spoolsv.exe
3484	spoolsv.exe
2908	spoolsv.exe
4772	spoolsv.exe
2672	spoolsv.exe
4380	spoolsv.exe
3740	spoolsv.exe
1668	spoolsv.exe
1748	spoolsv.exe
3020	spoolsv.exe
1584	spoolsv.exe
4336	spoolsv.exe
1488	spoolsv.exe
1212	spoolsv.exe
4140	spoolsv.exe
4272	spoolsv.exe
2716	spoolsv.exe
912	spoolsv.exe
2468	spoolsv.exe
732	spoolsv.exe
1320	spoolsv.exe
856	spoolsv.exe
3468	spoolsv.exe
4204	spoolsv.exe
4628	spoolsv.exe
4824	spoolsv.exe
1968	spoolsv.exe
2632	spoolsv.exe
4432	spoolsv.exe
4528	spoolsv.exe
1872	spoolsv.exe
3376	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exeexplorer.exeexplorer.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 37 IoCs

Processes:

38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 4544 set thread context of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 set thread context of 4920	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 set thread context of 4792	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	diskperf.exe
PID 2396 set thread context of 1044	2396	explorer.exe	explorer.exe
PID 1044 set thread context of 1008	1044	explorer.exe	explorer.exe
PID 2920 set thread context of 1468	2920	spoolsv.exe	spoolsv.exe
PID 1748 set thread context of 1904	1748	spoolsv.exe	spoolsv.exe
PID 2844 set thread context of 2576	2844	spoolsv.exe	spoolsv.exe
PID 1488 set thread context of 1676	1488	spoolsv.exe	spoolsv.exe
PID 4140 set thread context of 2448	4140	spoolsv.exe	spoolsv.exe
PID 744 set thread context of 2848	744	spoolsv.exe	spoolsv.exe
PID 5100 set thread context of 3800	5100	spoolsv.exe	spoolsv.exe
PID 2264 set thread context of 4680	2264	spoolsv.exe	spoolsv.exe
PID 2832 set thread context of 372	2832	spoolsv.exe	spoolsv.exe
PID 5076 set thread context of 5020	5076	spoolsv.exe	spoolsv.exe
PID 4864 set thread context of 4376	4864	spoolsv.exe	spoolsv.exe
PID 4360 set thread context of 3384	4360	spoolsv.exe	spoolsv.exe
PID 1400 set thread context of 3832	1400	spoolsv.exe	spoolsv.exe
PID 4648 set thread context of 3964	4648	spoolsv.exe	spoolsv.exe
PID 4332 set thread context of 2388	4332	spoolsv.exe	spoolsv.exe
PID 3484 set thread context of 2908	3484	spoolsv.exe	spoolsv.exe
PID 4772 set thread context of 2672	4772	spoolsv.exe	spoolsv.exe
PID 4380 set thread context of 3740	4380	spoolsv.exe	spoolsv.exe
PID 1668 set thread context of 1748	1668	spoolsv.exe	spoolsv.exe
PID 3020 set thread context of 1584	3020	spoolsv.exe	spoolsv.exe
PID 4336 set thread context of 1488	4336	spoolsv.exe	spoolsv.exe
PID 1212 set thread context of 4140	1212	spoolsv.exe	spoolsv.exe
PID 4272 set thread context of 2716	4272	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 2468	912	spoolsv.exe	spoolsv.exe
PID 732 set thread context of 1320	732	spoolsv.exe	spoolsv.exe
PID 856 set thread context of 3468	856	spoolsv.exe	spoolsv.exe
PID 4204 set thread context of 4628	4204	spoolsv.exe	spoolsv.exe
PID 4824 set thread context of 1968	4824	spoolsv.exe	spoolsv.exe
PID 2632 set thread context of 2820	2632	spoolsv.exe	spoolsv.exe
PID 3484 set thread context of 2940	3484	spoolsv.exe	spoolsv.exe
PID 2860 set thread context of 1744	2860	spoolsv.exe	spoolsv.exe
PID 2848 set thread context of 4068	2848	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 35 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3780 4388 WerFault.exe spoolsv.exe
4828 4004 WerFault.exe spoolsv.exe

pid	pid_target	process	target process
3780	4388	WerFault.exe	spoolsv.exe
4828	4004	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
4920	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
4920	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
2396	explorer.exe
2396	explorer.exe
2920	spoolsv.exe
2920	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1748	spoolsv.exe
1748	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
2844	spoolsv.exe
2844	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
1488	spoolsv.exe
1488	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
4140	spoolsv.exe
4140	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
744	spoolsv.exe
744	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
5100	spoolsv.exe
5100	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
2264	spoolsv.exe
2264	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
2832	spoolsv.exe
2832	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
5076	spoolsv.exe
5076	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
4864	spoolsv.exe
4864	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
4360	spoolsv.exe
4360	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
1400	spoolsv.exe
1400	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
4648	spoolsv.exe
4648	spoolsv.exe
1008	explorer.exe
1008	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
4920	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
4920	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
2396	explorer.exe
2396	explorer.exe
1008	explorer.exe
1008	explorer.exe
2920	spoolsv.exe
2920	spoolsv.exe
1008	explorer.exe
1008	explorer.exe
1748	spoolsv.exe
1748	spoolsv.exe
2844	spoolsv.exe
2844	spoolsv.exe
1488	spoolsv.exe
1488	spoolsv.exe
4140	spoolsv.exe
4140	spoolsv.exe
744	spoolsv.exe
744	spoolsv.exe
5100	spoolsv.exe
5100	spoolsv.exe
2264	spoolsv.exe
2264	spoolsv.exe
2832	spoolsv.exe
2832	spoolsv.exe
5076	spoolsv.exe
5076	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4360	spoolsv.exe
4360	spoolsv.exe
1400	spoolsv.exe
1400	spoolsv.exe
4648	spoolsv.exe
4648	spoolsv.exe
4332	spoolsv.exe
4332	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
4772	spoolsv.exe
4772	spoolsv.exe
4380	spoolsv.exe
4380	spoolsv.exe
1668	spoolsv.exe
1668	spoolsv.exe
3020	spoolsv.exe
3020	spoolsv.exe
4336	spoolsv.exe
4336	spoolsv.exe
1212	spoolsv.exe
1212	spoolsv.exe
4272	spoolsv.exe
4272	spoolsv.exe
912	spoolsv.exe
912	spoolsv.exe
732	spoolsv.exe
732	spoolsv.exe
856	spoolsv.exe
856	spoolsv.exe
4204	spoolsv.exe
4204	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exeexplorer.exe

description	pid	process	target process
PID 4544 wrote to memory of 3444	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	cmd.exe
PID 4544 wrote to memory of 3444	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	cmd.exe
PID 4544 wrote to memory of 3444	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	cmd.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 4544 wrote to memory of 1476	4544	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 wrote to memory of 4920	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 wrote to memory of 4920	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 wrote to memory of 4920	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 wrote to memory of 4920	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 wrote to memory of 4920	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 wrote to memory of 4920	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 wrote to memory of 4920	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 wrote to memory of 4920	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
PID 1476 wrote to memory of 4792	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	diskperf.exe
PID 1476 wrote to memory of 4792	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	diskperf.exe
PID 1476 wrote to memory of 4792	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	diskperf.exe
PID 1476 wrote to memory of 4792	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	diskperf.exe
PID 1476 wrote to memory of 4792	1476	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	diskperf.exe
PID 4920 wrote to memory of 2396	4920	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	explorer.exe
PID 4920 wrote to memory of 2396	4920	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	explorer.exe
PID 4920 wrote to memory of 2396	4920	38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe	explorer.exe
PID 2396 wrote to memory of 4840	2396	explorer.exe	cmd.exe
PID 2396 wrote to memory of 4840	2396	explorer.exe	cmd.exe
PID 2396 wrote to memory of 4840	2396	explorer.exe	cmd.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe
PID 2396 wrote to memory of 1044	2396	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:3444

C:\Users\Admin\AppData\Local\Temp\38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\38a6e4938faefdf4d99779a81642d5a0_NeikiAnalytics.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:4840

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1044

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2724

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4068

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:5068

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3588

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4488

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:4704

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:5020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 552
8⤵
- Program crash
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 560
8⤵
- Program crash
PID:4828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2724

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
1⤵
PID:4984

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
38a6e4938faefdf4d99779a81642d5a0

SHA1
3202d0586d9f2646f68b06d456ecd5970147387f

SHA256
0c6cf73f1c2c725cfc92f37bc86b42297ed8b56925e3b98777c4c725ea2de09d

SHA512
b8e6f66e11b88b70e44b1ccf91e4c557bf69f8c5eb945b50f1603f05aae80a2fcbb495f29bcc01e9b4091cb80231e8a43d93da5ec96867358d734c69d415868e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
38c64dc0ff0cad7aad3033073839f874

SHA1
e926e4f5f4a29e8297f0a41f9e875798147fcf5d

SHA256
3071e3c9c718a915f463aa671bdb59654cefdb07561a566d8da6faaf4f505383

SHA512
cb58eef8a5fd4177018287a72923b9542b0109e684b92d0bab0465ccfad59490aa4f3fba724e01511bec94c3f37b312a02323acc5fdf57942bf1fb1ae1763370

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.9MB

MD5
05ba7dd3d511fbc0cdacd02ed661b47f

SHA1
fa2f992d98407e7cf9c0b6eccd5bb1008c23d8ff

SHA256
33862616c30460a8e3b6211f325690c020c1f4873f8e4ee465b8e955d061adf8

SHA512
cae3bef26360cb515e6b846aa038d2b0e4c9b84f66091c544f54aa158a3851fdc3cc3df9f7f35abbc47a87c0f13e7659811c62a0f72c533d433cff9157f2612b

Download Submit
memory/372-616-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/372-186-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1008-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-48-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1044-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-69-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1044-52-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1044-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1044-43-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1044-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1320-388-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1468-85-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1468-81-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1468-84-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1468-80-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1468-83-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1468-82-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1468-526-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1476-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1476-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1476-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1476-7-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1476-6-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1476-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1476-10-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1476-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1476-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1476-8-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1476-32-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1476-11-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1476-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1476-13-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1488-343-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1584-331-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1676-547-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1676-121-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1744-459-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1748-320-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1904-559-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1904-98-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1904-97-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1904-94-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1904-99-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1904-96-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1904-95-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1968-423-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1988-555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-266-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2448-136-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2448-525-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2468-377-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2576-108-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2576-106-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2576-107-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2576-111-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2576-110-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2576-494-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2576-109-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2672-293-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2716-366-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2724-531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-435-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2848-508-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2848-149-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2908-279-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3384-225-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3468-398-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3600-541-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3740-306-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3800-161-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3800-581-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3832-239-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3964-252-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4068-584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-354-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4268-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-212-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4628-411-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4680-175-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/4680-601-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/4792-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4792-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4792-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4828-578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5020-199-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download