warzonerat | b5aaa832264701489387cb30f6ebb7db6879b445a39d4cb7feb9cdf01d3013c4

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
Size

2.9MB
MD5

019b31b11c21f878b8b061d4b7557b10
SHA1

04241905c593cba4742670e251895063b53ff89c
SHA256

b5aaa832264701489387cb30f6ebb7db6879b445a39d4cb7feb9cdf01d3013c4
SHA512

ca874b461bea9382deba548eae803c3f3bfd2b875284d82cb1d3829b3bab6f1d7a5d93263c52a896b8fa7e8041ff00386d185abf88d458d84b615aa9d27c5662
SSDEEP

24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHc:7v97AXmw4gxeOw46fUbNecCCFbNecl

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 33 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1572	explorer.exe
1624	explorer.exe
2356	explorer.exe
964	spoolsv.exe
912	spoolsv.exe
1956	spoolsv.exe
1548	spoolsv.exe
2144	spoolsv.exe
2492	spoolsv.exe
1456	spoolsv.exe
1144	spoolsv.exe
1248	spoolsv.exe
2924	spoolsv.exe
1764	spoolsv.exe
2096	spoolsv.exe
3040	spoolsv.exe
1832	spoolsv.exe
2724	spoolsv.exe
2772	spoolsv.exe
2668	spoolsv.exe
2652	spoolsv.exe
2824	spoolsv.exe
2460	spoolsv.exe
2184	spoolsv.exe
1644	spoolsv.exe
2992	spoolsv.exe
1160	spoolsv.exe
1152	spoolsv.exe
1488	spoolsv.exe
404	spoolsv.exe
2724	spoolsv.exe
2620	spoolsv.exe
2680	spoolsv.exe
2808	spoolsv.exe
1668	spoolsv.exe
1244	spoolsv.exe
1684	spoolsv.exe
688	spoolsv.exe
1428	spoolsv.exe
1344	spoolsv.exe
3024	spoolsv.exe
784	spoolsv.exe
1620	spoolsv.exe
2588	spoolsv.exe
2624	spoolsv.exe
2380	spoolsv.exe
1640	spoolsv.exe
2496	spoolsv.exe
2600	spoolsv.exe
1960	spoolsv.exe
3000	spoolsv.exe
1820	spoolsv.exe
3032	spoolsv.exe
2864	spoolsv.exe
784	spoolsv.exe
2384	spoolsv.exe
2560	spoolsv.exe
2112	spoolsv.exe
836	spoolsv.exe
1060	spoolsv.exe
2888	spoolsv.exe
2408	spoolsv.exe
684	spoolsv.exe
2988	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1256	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
1256	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
2356	explorer.exe
2356	explorer.exe
964	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
1956	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
2144	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
1456	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
1248	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
1764	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
3040	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
2724	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
2668	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
2824	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
2184	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
2992	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
1152	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
404	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
2620	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
2808	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
1244	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
688	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
1344	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
784	spoolsv.exe
2356	explorer.exe
2356	explorer.exe

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2208 set thread context of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 set thread context of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 set thread context of 2692	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	diskperf.exe
PID 1572 set thread context of 1624	1572	explorer.exe	explorer.exe
PID 1624 set thread context of 2356	1624	explorer.exe	explorer.exe
PID 1624 set thread context of 1120	1624	explorer.exe	diskperf.exe
PID 964 set thread context of 912	964	spoolsv.exe	spoolsv.exe
PID 1956 set thread context of 1548	1956	spoolsv.exe	spoolsv.exe
PID 2144 set thread context of 2492	2144	spoolsv.exe	spoolsv.exe
PID 1456 set thread context of 1144	1456	spoolsv.exe	spoolsv.exe
PID 1248 set thread context of 2924	1248	spoolsv.exe	spoolsv.exe
PID 1764 set thread context of 2096	1764	spoolsv.exe	spoolsv.exe
PID 3040 set thread context of 1832	3040	spoolsv.exe	spoolsv.exe
PID 2724 set thread context of 2772	2724	spoolsv.exe	spoolsv.exe
PID 2668 set thread context of 2652	2668	spoolsv.exe	spoolsv.exe
PID 2824 set thread context of 2460	2824	spoolsv.exe	spoolsv.exe
PID 2184 set thread context of 1644	2184	spoolsv.exe	spoolsv.exe
PID 2992 set thread context of 1160	2992	spoolsv.exe	spoolsv.exe
PID 1152 set thread context of 1488	1152	spoolsv.exe	spoolsv.exe
PID 404 set thread context of 2724	404	spoolsv.exe	spoolsv.exe
PID 2620 set thread context of 2680	2620	spoolsv.exe	spoolsv.exe
PID 2808 set thread context of 1668	2808	spoolsv.exe	spoolsv.exe
PID 1244 set thread context of 1684	1244	spoolsv.exe	spoolsv.exe
PID 688 set thread context of 1428	688	spoolsv.exe	spoolsv.exe
PID 1344 set thread context of 3024	1344	spoolsv.exe	spoolsv.exe
PID 784 set thread context of 1620	784	spoolsv.exe	spoolsv.exe
PID 2588 set thread context of 2624	2588	spoolsv.exe	spoolsv.exe
PID 2380 set thread context of 1640	2380	spoolsv.exe	spoolsv.exe
PID 2496 set thread context of 2600	2496	spoolsv.exe	spoolsv.exe
PID 1960 set thread context of 3000	1960	spoolsv.exe	spoolsv.exe
PID 1820 set thread context of 3032	1820	spoolsv.exe	spoolsv.exe
PID 2864 set thread context of 784	2864	spoolsv.exe	spoolsv.exe
PID 2384 set thread context of 2560	2384	spoolsv.exe	spoolsv.exe
PID 2112 set thread context of 836	2112	spoolsv.exe	spoolsv.exe
PID 1060 set thread context of 2888	1060	spoolsv.exe	spoolsv.exe
PID 2408 set thread context of 684	2408	spoolsv.exe	spoolsv.exe
PID 2988 set thread context of 2936	2988	spoolsv.exe	spoolsv.exe
PID 2892 set thread context of 1296	2892	spoolsv.exe	spoolsv.exe
PID 1664 set thread context of 1908	1664	spoolsv.exe	spoolsv.exe
PID 2592 set thread context of 2596	2592	spoolsv.exe	spoolsv.exe
PID 1572 set thread context of 2688	1572	spoolsv.exe	spoolsv.exe
PID 596 set thread context of 560	596	spoolsv.exe	spoolsv.exe
PID 2912 set thread context of 1744	2912	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 2520	912	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 2900	912	spoolsv.exe	diskperf.exe
PID 572 set thread context of 1956	572	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 2104	1548	spoolsv.exe	spoolsv.exe
PID 2544 set thread context of 1676	2544	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 2424	1548	spoolsv.exe	diskperf.exe
PID 2628 set thread context of 1892	2628	explorer.exe	explorer.exe
PID 2492 set thread context of 2672	2492	spoolsv.exe	spoolsv.exe
PID 2492 set thread context of 1136	2492	spoolsv.exe	diskperf.exe
PID 1700 set thread context of 1052	1700	spoolsv.exe	spoolsv.exe
PID 1144 set thread context of 948	1144	spoolsv.exe	spoolsv.exe
PID 1144 set thread context of 1564	1144	spoolsv.exe	diskperf.exe
PID 2552 set thread context of 2996	2552	spoolsv.exe	spoolsv.exe
PID 2924 set thread context of 1520	2924	spoolsv.exe	spoolsv.exe
PID 2924 set thread context of 1648	2924	spoolsv.exe	diskperf.exe
PID 2096 set thread context of 2040	2096	spoolsv.exe	spoolsv.exe
PID 1968 set thread context of 1364	1968	explorer.exe	explorer.exe
PID 2096 set thread context of 2392	2096	spoolsv.exe	diskperf.exe
PID 1832 set thread context of 1424	1832	spoolsv.exe	spoolsv.exe
PID 1832 set thread context of 2964	1832	spoolsv.exe	diskperf.exe
PID 960 set thread context of 596	960	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 58 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3012 2888 WerFault.exe spoolsv.exe

pid	pid_target	process	target process
3012	2888	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
1256	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
1572	explorer.exe
964	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
1956	spoolsv.exe
2356	explorer.exe
2144	spoolsv.exe
2356	explorer.exe
1456	spoolsv.exe
2356	explorer.exe
1248	spoolsv.exe
2356	explorer.exe
1764	spoolsv.exe
2356	explorer.exe
3040	spoolsv.exe
2356	explorer.exe
2724	spoolsv.exe
2356	explorer.exe
2668	spoolsv.exe
2356	explorer.exe
2824	spoolsv.exe
2356	explorer.exe
2184	spoolsv.exe
2356	explorer.exe
2992	spoolsv.exe
2356	explorer.exe
1152	spoolsv.exe
2356	explorer.exe
404	spoolsv.exe
2356	explorer.exe
2620	spoolsv.exe
2356	explorer.exe
2808	spoolsv.exe
2356	explorer.exe
1244	spoolsv.exe
2356	explorer.exe
688	spoolsv.exe
2356	explorer.exe
1344	spoolsv.exe
2356	explorer.exe
784	spoolsv.exe
2356	explorer.exe
2588	spoolsv.exe
2356	explorer.exe
2380	spoolsv.exe
2356	explorer.exe
2496	spoolsv.exe
2356	explorer.exe
1960	spoolsv.exe
2356	explorer.exe
1820	spoolsv.exe
2356	explorer.exe
2864	spoolsv.exe
2356	explorer.exe
2384	spoolsv.exe
2356	explorer.exe
2112	spoolsv.exe
2356	explorer.exe
1060	spoolsv.exe
2356	explorer.exe
2408	spoolsv.exe
2356	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
1256	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
1256	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
1572	explorer.exe
1572	explorer.exe
2356	explorer.exe
2356	explorer.exe
964	spoolsv.exe
964	spoolsv.exe
2356	explorer.exe
2356	explorer.exe
1956	spoolsv.exe
1956	spoolsv.exe
2144	spoolsv.exe
2144	spoolsv.exe
1456	spoolsv.exe
1456	spoolsv.exe
1248	spoolsv.exe
1248	spoolsv.exe
1764	spoolsv.exe
1764	spoolsv.exe
3040	spoolsv.exe
3040	spoolsv.exe
2724	spoolsv.exe
2724	spoolsv.exe
2668	spoolsv.exe
2668	spoolsv.exe
2824	spoolsv.exe
2824	spoolsv.exe
2184	spoolsv.exe
2184	spoolsv.exe
2992	spoolsv.exe
2992	spoolsv.exe
1152	spoolsv.exe
1152	spoolsv.exe
404	spoolsv.exe
404	spoolsv.exe
2620	spoolsv.exe
2620	spoolsv.exe
2808	spoolsv.exe
2808	spoolsv.exe
1244	spoolsv.exe
1244	spoolsv.exe
688	spoolsv.exe
688	spoolsv.exe
1344	spoolsv.exe
1344	spoolsv.exe
784	spoolsv.exe
784	spoolsv.exe
2588	spoolsv.exe
2588	spoolsv.exe
2380	spoolsv.exe
2380	spoolsv.exe
2496	spoolsv.exe
2496	spoolsv.exe
1960	spoolsv.exe
1960	spoolsv.exe
1820	spoolsv.exe
1820	spoolsv.exe
2864	spoolsv.exe
2864	spoolsv.exe
2384	spoolsv.exe
2384	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exeexplorer.exe

description	pid	process	target process
PID 2208 wrote to memory of 2676	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2676	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2676	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2676	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2208 wrote to memory of 2972	2208	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 1256	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
PID 2972 wrote to memory of 2692	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	diskperf.exe
PID 2972 wrote to memory of 2692	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	diskperf.exe
PID 2972 wrote to memory of 2692	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	diskperf.exe
PID 2972 wrote to memory of 2692	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	diskperf.exe
PID 2972 wrote to memory of 2692	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	diskperf.exe
PID 2972 wrote to memory of 2692	2972	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	diskperf.exe
PID 1256 wrote to memory of 1572	1256	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	explorer.exe
PID 1256 wrote to memory of 1572	1256	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	explorer.exe
PID 1256 wrote to memory of 1572	1256	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	explorer.exe
PID 1256 wrote to memory of 1572	1256	019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe	explorer.exe
PID 1572 wrote to memory of 1800	1572	explorer.exe	cmd.exe
PID 1572 wrote to memory of 1800	1572	explorer.exe	cmd.exe
PID 1572 wrote to memory of 1800	1572	explorer.exe	cmd.exe
PID 1572 wrote to memory of 1800	1572	explorer.exe	cmd.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe
PID 1572 wrote to memory of 1624	1572	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2676

C:\Users\Admin\AppData\Local\Temp\019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\019b31b11c21f878b8b061d4b7557b10_NeikiAnalytics.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:1800

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1624

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2520

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2228

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:948

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2840

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1424

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1004

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1588

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2200

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2472

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1596

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:848

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2848

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1928

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2032

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2076

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1612

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 36
9⤵
- Program crash
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1274306360990667168-1992494106-238374927-1015731877103631628037516675-745975642"
1⤵
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
019b31b11c21f878b8b061d4b7557b10

SHA1
04241905c593cba4742670e251895063b53ff89c

SHA256
b5aaa832264701489387cb30f6ebb7db6879b445a39d4cb7feb9cdf01d3013c4

SHA512
ca874b461bea9382deba548eae803c3f3bfd2b875284d82cb1d3829b3bab6f1d7a5d93263c52a896b8fa7e8041ff00386d185abf88d458d84b615aa9d27c5662

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
3d07214c95f4defbbefdd9473a69b7ff

SHA1
14f889062a2a496ebeed62233bd662ffe1ce9cf6

SHA256
d79c151278713ddc2a2efe0ab667906d36c939c2ecb3ead136a77a4565526dba

SHA512
40e2c77d48c8b0c894bb84ed858d34a45d950f0e2428a30f9b5791157ace09ff20bff013557de934ffe993f30bff986896d811b596e9f3a9007af6fefc40ae7b

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
b7942ad1708c6c306e6a358d1c773343

SHA1
540567f2553132e3efef2a63a52cd952b90fb4f8

SHA256
9c37e1af129a7c22a5ef6ad567c709b0580da389a4c905e19c54f71d6c395d51

SHA512
122e26e6ea0354b47f2756295283f29077220342acf0298ebb87641da5cd54e166135f69338ae16c06a46d806782c57e703ff951be3701ab1a52e36a42730768

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
3aa0b47b71831e7fc39c3cd8cdd0f794

SHA1
e23a1904ca0b4c377e5295ab2df1f48ab7a8c163

SHA256
70146758bf952e8f5fb7e2d06025528dcc7da9682632854a790855ad6a2461b6

SHA512
42f768d0de0c90b600f575ba6174ac6c3fce084d6b8703fed3f171b662ea8774300ea89af02f9d985cb91739b5ce01c9f4299e10a762b2a351cf0a3e2df2b642

Download Submit
memory/684-1646-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/784-1454-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/836-1552-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/912-240-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/912-2037-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1144-2274-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1144-396-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1160-789-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1160-2846-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1256-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1296-1742-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1428-1073-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1488-2893-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1488-836-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1548-292-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1548-2115-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1620-1168-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1624-171-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1624-143-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1640-1264-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1644-2733-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1644-741-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1668-977-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1684-1025-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1832-2475-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1832-545-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1908-1792-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2096-496-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2096-2397-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2356-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-695-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2460-2664-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2492-2227-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2492-344-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2560-1501-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2596-1837-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2600-1313-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2624-1216-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2652-647-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2652-2597-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2680-930-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2680-3075-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2688-1890-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2692-84-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2692-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2692-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2724-3022-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2724-882-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2772-595-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2772-2517-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2888-1595-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2924-446-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2924-2338-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2936-1691-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2972-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-77-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2972-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2972-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2972-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-34-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2972-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2972-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2972-47-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2972-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2972-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3000-1360-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3024-1121-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3032-1406-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download