warzonerat | 7995343b94efec421a8c1a77985387aeee794d60b820f7f28f09e521fece04f9

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
Size

1.8MB
MD5

400760ae7421b03084f7e3a8a8a07850
SHA1

280ca6a777b2515172f0b1d5d76e4d6291cd3c55
SHA256

7995343b94efec421a8c1a77985387aeee794d60b820f7f28f09e521fece04f9
SHA512

f1ac15818e68ad6ce8f252adbfc764446c52011c07857d69745f0ba3d81916a71dfacc52a743dd7943f245fd117b13fc60521ae3a413bb9b41cc87ee440a0525
SSDEEP

12288:Q99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSG9dA7W2FeDSIGVH/KIDgM:k1gg4CppEI6GGfWDkMQDbGV6eH8tkH

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2120	explorer.exe
4116	explorer.exe
2720	spoolsv.exe
2560	spoolsv.exe
4092	spoolsv.exe
976	spoolsv.exe
1768	spoolsv.exe
2372	spoolsv.exe
3432	spoolsv.exe
4600	spoolsv.exe
3848	spoolsv.exe
2196	spoolsv.exe
1372	spoolsv.exe
3748	spoolsv.exe
3908	spoolsv.exe
836	spoolsv.exe
220	spoolsv.exe
2520	spoolsv.exe
1380	spoolsv.exe
1084	spoolsv.exe
3320	spoolsv.exe
1460	spoolsv.exe
4684	spoolsv.exe
4220	spoolsv.exe
440	spoolsv.exe
3096	spoolsv.exe
4908	spoolsv.exe
1872	spoolsv.exe
3068	spoolsv.exe
1996	spoolsv.exe
3036	spoolsv.exe
4380	spoolsv.exe
1452	spoolsv.exe
3720	spoolsv.exe
4404	spoolsv.exe
3600	spoolsv.exe
4276	spoolsv.exe
1000	spoolsv.exe
2100	spoolsv.exe
644	spoolsv.exe
1012	spoolsv.exe
2448	spoolsv.exe
624	spoolsv.exe
1392	spoolsv.exe
1428	spoolsv.exe
1840	spoolsv.exe
1592	spoolsv.exe
1164	spoolsv.exe
2948	spoolsv.exe
2980	spoolsv.exe
4040	spoolsv.exe
4616	spoolsv.exe
2020	spoolsv.exe
1536	spoolsv.exe
4836	spoolsv.exe
464	spoolsv.exe
4148	spoolsv.exe
628	spoolsv.exe
3548	spoolsv.exe
3576	spoolsv.exe
4216	spoolsv.exe
3264	spoolsv.exe
4332	spoolsv.exe
3876	spoolsv.exe

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1556 set thread context of 2676	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
PID 2120 set thread context of 4116	2120	explorer.exe	explorer.exe
PID 2120 set thread context of 1692	2120	explorer.exe	diskperf.exe
PID 2720 set thread context of 7240	2720	spoolsv.exe	spoolsv.exe
PID 2560 set thread context of 7360	2560	spoolsv.exe	spoolsv.exe
PID 2560 set thread context of 7376	2560	spoolsv.exe	diskperf.exe
PID 4092 set thread context of 7460	4092	spoolsv.exe	spoolsv.exe
PID 4092 set thread context of 7476	4092	spoolsv.exe	diskperf.exe
PID 976 set thread context of 7552	976	spoolsv.exe	spoolsv.exe
PID 976 set thread context of 7568	976	spoolsv.exe	diskperf.exe
PID 1768 set thread context of 7624	1768	spoolsv.exe	spoolsv.exe
PID 1768 set thread context of 7636	1768	spoolsv.exe	diskperf.exe
PID 2372 set thread context of 7720	2372	spoolsv.exe	spoolsv.exe
PID 2372 set thread context of 7736	2372	spoolsv.exe	diskperf.exe
PID 3432 set thread context of 7816	3432	spoolsv.exe	spoolsv.exe
PID 3432 set thread context of 7828	3432	spoolsv.exe	diskperf.exe
PID 4600 set thread context of 7896	4600	spoolsv.exe	spoolsv.exe
PID 4600 set thread context of 7908	4600	spoolsv.exe	diskperf.exe
PID 3848 set thread context of 7988	3848	spoolsv.exe	spoolsv.exe
PID 3848 set thread context of 8004	3848	spoolsv.exe	diskperf.exe
PID 2196 set thread context of 8080	2196	spoolsv.exe	spoolsv.exe
PID 2196 set thread context of 8100	2196	spoolsv.exe	diskperf.exe
PID 1372 set thread context of 8188	1372	spoolsv.exe	spoolsv.exe
PID 1372 set thread context of 7248	1372	spoolsv.exe	diskperf.exe
PID 3748 set thread context of 7252	3748	spoolsv.exe	spoolsv.exe
PID 3748 set thread context of 4124	3748	spoolsv.exe	diskperf.exe
PID 3908 set thread context of 7372	3908	spoolsv.exe	spoolsv.exe
PID 3908 set thread context of 7468	3908	spoolsv.exe	diskperf.exe
PID 836 set thread context of 7592	836	spoolsv.exe	spoolsv.exe
PID 836 set thread context of 7472	836	spoolsv.exe	diskperf.exe
PID 220 set thread context of 1136	220	spoolsv.exe	spoolsv.exe
PID 220 set thread context of 7696	220	spoolsv.exe	diskperf.exe
PID 2520 set thread context of 7844	2520	spoolsv.exe	spoolsv.exe
PID 2520 set thread context of 7848	2520	spoolsv.exe	diskperf.exe
PID 1380 set thread context of 7936	1380	spoolsv.exe	spoolsv.exe
PID 1380 set thread context of 7952	1380	spoolsv.exe	diskperf.exe
PID 1084 set thread context of 8024	1084	spoolsv.exe	spoolsv.exe
PID 1084 set thread context of 7992	1084	spoolsv.exe	diskperf.exe
PID 3320 set thread context of 8164	3320	spoolsv.exe	spoolsv.exe
PID 3320 set thread context of 8180	3320	spoolsv.exe	diskperf.exe
PID 1460 set thread context of 2212	1460	spoolsv.exe	spoolsv.exe
PID 1460 set thread context of 8188	1460	spoolsv.exe	diskperf.exe
PID 4684 set thread context of 2480	4684	spoolsv.exe	spoolsv.exe
PID 4684 set thread context of 7564	4684	spoolsv.exe	diskperf.exe
PID 4220 set thread context of 7664	4220	spoolsv.exe	spoolsv.exe
PID 4220 set thread context of 7548	4220	spoolsv.exe	diskperf.exe
PID 440 set thread context of 7760	440	spoolsv.exe	spoolsv.exe
PID 440 set thread context of 7864	440	spoolsv.exe	diskperf.exe
PID 3096 set thread context of 7924	3096	spoolsv.exe	spoolsv.exe
PID 3096 set thread context of 7948	3096	spoolsv.exe	diskperf.exe
PID 4908 set thread context of 8092	4908	spoolsv.exe	spoolsv.exe
PID 4908 set thread context of 2380	4908	spoolsv.exe	diskperf.exe
PID 1872 set thread context of 7292	1872	spoolsv.exe	spoolsv.exe
PID 1872 set thread context of 1420	1872	spoolsv.exe	diskperf.exe
PID 3068 set thread context of 3992	3068	spoolsv.exe	spoolsv.exe
PID 3068 set thread context of 2776	3068	spoolsv.exe	diskperf.exe
PID 1996 set thread context of 3016	1996	spoolsv.exe	spoolsv.exe
PID 1996 set thread context of 1808	1996	spoolsv.exe	diskperf.exe
PID 3036 set thread context of 7576	3036	spoolsv.exe	spoolsv.exe
PID 3036 set thread context of 1636	3036	spoolsv.exe	diskperf.exe
PID 4380 set thread context of 1732	4380	spoolsv.exe	spoolsv.exe
PID 4380 set thread context of 7984	4380	spoolsv.exe	diskperf.exe
PID 1452 set thread context of 2400	1452	spoolsv.exe	spoolsv.exe
PID 1452 set thread context of 2832	1452	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exeexplorer.exe

pid	process
2676	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
2676	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

4116 explorer.exe

pid	process
4116	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2676	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
2676	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
4116	explorer.exe
7240	spoolsv.exe
7240	spoolsv.exe
7360	spoolsv.exe
7360	spoolsv.exe
7460	spoolsv.exe
7460	spoolsv.exe
7552	spoolsv.exe
7552	spoolsv.exe
7624	spoolsv.exe
7624	spoolsv.exe
7720	spoolsv.exe
7720	spoolsv.exe
7816	spoolsv.exe
7816	spoolsv.exe
7896	spoolsv.exe
7896	spoolsv.exe
7988	spoolsv.exe
7988	spoolsv.exe
8080	spoolsv.exe
8080	spoolsv.exe
8188	spoolsv.exe
8188	spoolsv.exe
7252	spoolsv.exe
7252	spoolsv.exe
7372	spoolsv.exe
7372	spoolsv.exe
7592	spoolsv.exe
7592	spoolsv.exe
1136	spoolsv.exe
1136	spoolsv.exe
7844	spoolsv.exe
7844	spoolsv.exe
7936	spoolsv.exe
7936	spoolsv.exe
8024	spoolsv.exe
8024	spoolsv.exe
8164	spoolsv.exe
8164	spoolsv.exe
2212	spoolsv.exe
2212	spoolsv.exe
2480	spoolsv.exe
2480	spoolsv.exe
7664	spoolsv.exe
7664	spoolsv.exe
7760	spoolsv.exe
7760	spoolsv.exe
7924	spoolsv.exe
7924	spoolsv.exe
8092	spoolsv.exe
8092	spoolsv.exe
7292	spoolsv.exe
7292	spoolsv.exe
3992	spoolsv.exe
3992	spoolsv.exe
3016	spoolsv.exe
3016	spoolsv.exe
7576	spoolsv.exe
7576	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1556 wrote to memory of 2676	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
PID 1556 wrote to memory of 2676	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
PID 1556 wrote to memory of 2676	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
PID 1556 wrote to memory of 2676	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
PID 1556 wrote to memory of 2676	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
PID 1556 wrote to memory of 2676	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
PID 1556 wrote to memory of 2676	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
PID 1556 wrote to memory of 2676	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
PID 1556 wrote to memory of 1484	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	diskperf.exe
PID 1556 wrote to memory of 1484	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	diskperf.exe
PID 1556 wrote to memory of 1484	1556	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	diskperf.exe
PID 2676 wrote to memory of 2120	2676	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	explorer.exe
PID 2676 wrote to memory of 2120	2676	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	explorer.exe
PID 2676 wrote to memory of 2120	2676	400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe	explorer.exe
PID 2120 wrote to memory of 4116	2120	explorer.exe	explorer.exe
PID 2120 wrote to memory of 4116	2120	explorer.exe	explorer.exe
PID 2120 wrote to memory of 4116	2120	explorer.exe	explorer.exe
PID 2120 wrote to memory of 4116	2120	explorer.exe	explorer.exe
PID 2120 wrote to memory of 4116	2120	explorer.exe	explorer.exe
PID 2120 wrote to memory of 4116	2120	explorer.exe	explorer.exe
PID 2120 wrote to memory of 4116	2120	explorer.exe	explorer.exe
PID 2120 wrote to memory of 4116	2120	explorer.exe	explorer.exe
PID 2120 wrote to memory of 1692	2120	explorer.exe	diskperf.exe
PID 2120 wrote to memory of 1692	2120	explorer.exe	diskperf.exe
PID 2120 wrote to memory of 1692	2120	explorer.exe	diskperf.exe
PID 2120 wrote to memory of 1692	2120	explorer.exe	diskperf.exe
PID 2120 wrote to memory of 1692	2120	explorer.exe	diskperf.exe
PID 4116 wrote to memory of 2720	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2720	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2720	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2560	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2560	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2560	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 4092	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 4092	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 4092	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 976	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 976	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 976	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 1768	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 1768	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 1768	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2372	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2372	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2372	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3432	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3432	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3432	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 4600	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 4600	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 4600	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3848	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3848	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3848	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2196	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2196	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 2196	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 1372	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 1372	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 1372	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3748	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3748	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3748	4116	explorer.exe	spoolsv.exe
PID 4116 wrote to memory of 3908	4116	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\400760ae7421b03084f7e3a8a8a07850_NeikiAnalytics.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2120

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:7240

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7360

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7460

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7624

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7720

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7796

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7896

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7988

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:8056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:8004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:8080

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:8156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:8100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:8188

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7252

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7592

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7616

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1136

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7356

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7844

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7936

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:8024

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:8132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:8164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7312

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:8180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7396

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:8188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2480

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7664

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7760

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7924

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:8020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:8092

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:8120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7292

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:224

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7456

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4136

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7576

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1732

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2400

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:8108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:7280

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:7508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3556

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:8000

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3332

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4180

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4368

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:100

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:7900

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:8112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4476

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:7732

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3280

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2500

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5228

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1140

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5320

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5200

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2004

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4448

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5420

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9168

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:668

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4940

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9260

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9312

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9364

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9416

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9464

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9592

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9712

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9924

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:10040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:10092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:10064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:10156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:10212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:10176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9320

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9412

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9476

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:428

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1404

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:9960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:10056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:10032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:10196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:10160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:10188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4936

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3128

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:9068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:9432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:7284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
1.8MB

MD5
400760ae7421b03084f7e3a8a8a07850

SHA1
280ca6a777b2515172f0b1d5d76e4d6291cd3c55

SHA256
7995343b94efec421a8c1a77985387aeee794d60b820f7f28f09e521fece04f9

SHA512
f1ac15818e68ad6ce8f252adbfc764446c52011c07857d69745f0ba3d81916a71dfacc52a743dd7943f245fd117b13fc60521ae3a413bb9b41cc87ee440a0525

Download Submit
C:\Windows\System\explorer.exe
Filesize
1.8MB

MD5
82373c8bf058477d3716f8911250f59f

SHA1
06fa6a028395bd413958d842667fb7443016cbe6

SHA256
9235c9b6d15686f6a7458130acaea70f0b437709ed0ae179e8fa5f353e7ee909

SHA512
21b954f990153e1a07f47cabaf72023798f2e04ebf4585f93a18e9008e2a445906d7a2f756699657349cca474eaad67814041343cd677fb683f024903d95a389

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
1.8MB

MD5
4b60365eaa11579371bc44f02ba80966

SHA1
1785e5e928c07c796125648b36d7076dff8fd8a4

SHA256
fe231a9c2b92f7513368bca48adf44f325e54bd1bf8f346ee21185d5fe8b7e06

SHA512
6882db6dc753fb08d55b7da4954015acb96c6ef13ed3975da04100d8dfb3ca087c1a56eaf4e6501542ae60e4e54712cdec5c64861d8e0de44944498bac7064cc

Download Submit
memory/220-92-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/440-108-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/464-157-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/464-177-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/624-149-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/628-181-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/644-121-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/644-143-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/680-180-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/836-90-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/976-69-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1000-139-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1012-145-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1084-98-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1092-176-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1096-188-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1164-161-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1200-184-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1372-63-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1372-83-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1380-96-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1392-151-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1428-154-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1428-132-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1452-127-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1460-102-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1536-173-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1536-152-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1556-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1556-3-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1556-13-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1556-1-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1556-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1592-159-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1692-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1692-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1692-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1768-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1840-156-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1840-135-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1872-115-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1996-120-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2020-171-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2100-118-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2100-141-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2120-19-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2120-40-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2120-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2196-81-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2372-73-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2448-147-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2520-94-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2528-178-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2560-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2560-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2676-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-20-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2720-49-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2720-62-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2948-163-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2980-165-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3036-123-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3068-117-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3084-186-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3096-110-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3264-170-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3264-189-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3320-100-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3428-182-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3432-75-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3548-183-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3576-185-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3576-166-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3600-134-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3720-129-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3748-85-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3848-79-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3876-174-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3908-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4040-167-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4092-67-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4116-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4116-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4148-179-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4216-168-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4216-187-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4220-106-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4220-86-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4276-137-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4332-172-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4332-192-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4380-125-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4404-131-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4600-77-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4616-169-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4684-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4836-175-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4844-190-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4908-112-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/7240-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7360-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7460-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7552-278-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7624-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7720-307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7816-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7896-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7988-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download