cerber | ea1ac23002a691f0822ba54c6624f518251d946492ef1ef5c9286959d86b968b

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll"	regsvr32.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 28 IoCs

Processes:

Peki_Spoofer_V4.exePeki_Spoofer_V4.exedr43.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exe

pid	process
1688	Peki_Spoofer_V4.exe
4264	Peki_Spoofer_V4.exe
1200	dr43.exe
6532	DevManView.exe
6548	DevManView.exe
4600	DevManView.exe
4588	DevManView.exe
2916	DevManView.exe
3384	DevManView.exe
6560	DevManView.exe
6568	DevManView.exe
2672	DevManView.exe
2408	DevManView.exe
3676	DevManView.exe
4792	DevManView.exe
4652	DevManView.exe
6588	DevManView.exe
6636	DevManView.exe
6684	AMIDEWINx64.exe
412	AMIDEWINx64.exe
1180	AMIDEWINx64.exe
4412	AMIDEWINx64.exe
4760	AMIDEWINx64.exe
3572	AMIDEWINx64.exe
252	AMIDEWINx64.exe
248	AMIDEWINx64.exe
3048	AMIDEWINx64.exe
2296	AMIDEWINx64.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0BC6AD-46D4-488B-BE1F-047FC7505E60}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6515834D-6125-4878-A3A3-6B0A73B809A2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{443E7B79-DE31-11D2-B340-00104BCC4B4A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DD82D10-E6F1-11D2-B139-00105A1F77A1}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7A3A54B-0250-11D3-9CD1-00105A1F4801}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C659258-E236-11D2-8899-00104B2AFB46}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3E41207-BE04-492A-AFF0-19E880FF7545}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C0AA9D93-2EF5-47FB-960C-F90FC644B48E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A653086-174F-11D2-B5F9-00104B703EFD}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D08B586-343A-11D0-AD46-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C10B4771-4DA0-11D2-A2F5-00C04F86FB7D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CFC7932-0F9D-4BEF-9C32-8EA2A6B56FCB}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00B8308C-09F2-4c18-A7B0-4594D6B22EFE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD209E2E-813B-41C0-8646-4C3E9C917511}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC9072AB-C000-49D8-A5AA-00266C8DBB9B}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D31B6A3F-9350-40DE-A3FC-A7EDEB9B7C63}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{734AC5AE-68E1-4FB5-B8DA-1D92F7FC6661}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F598975-37E0-4A67-A992-116680F0CEDA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD184336-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7998DC37-D3FE-487C-A60A-7701FCC70CC6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D7A4B0E-66D5-4AC3-A7ED-0189E8CF5E77}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAC8A024-21E2-4523-AD73-A71A0AA2F56A}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72970BEB-81F8-46D4-B220-D743F4E49C95}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78103FB7-AED7-4066-8BCD-30BB27B02331}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5F75737-2843-4F22-933D-C76A97CDA62F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA2AF3B4-C15E-412b-B453-557746675FB7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6c19be35-7500-11d1-ad94-00c04fd8fdff}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{523A581F-EC58-40CE-99D3-36BF7897F3EC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{523A581F-EC58-40CE-99D3-36BF7897F3EC}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\InProcServer32	regsvr32.exe

Enumerates connected drives 3 TTPs 30 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

description	ioc	process
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

Processes:

flow	ioc
36	discord.com
88	discord.com
99	discord.com
183	discord.com
39	discord.com
115	discord.com
123	discord.com
155	discord.com
173	discord.com
81	discord.com
93	discord.com
186	discord.com
38	discord.com
89	discord.com
135	discord.com
190	discord.com

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0"	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0"	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe

Drops file in System32 directory 64 IoCs

Processes:

mofcomp.exemofcomp.exesvchost.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exeregsvr32.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exe

description	ioc	process
File created	C:\Windows\system32\wbem\AutoRecover\C59549B4F20BC001A0A645775AB7BE45.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\FD38E89965714BC8838FE9C66DB5567D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\6B4B3EE7432DA52E30DCD4AA1E80B4F2.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2E8F3CA90E51B47160C820C8A9D25C70.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3E2C8A6A5EEECAC8DDDF4B502F3D3118.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FB42973CC6B430B383BA62328763E302.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EC334120AAC576B5B016EFBD4CB50498.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B16B0DDE7AC8EE97D6CF843A06985EFA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2CFB5B149FA396D1AEA5F89B1C5A8D81.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F0E76792C542307D2F6A5D4DD4C90DB8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\80792982BF972E1BFD199DE5636C38C5.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DB3D8DB0C02C23250753E40A2A69CBE6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\17FFDF80330024B07853138CB5AFAD9C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\4273CA093A54B161AE6A9FA019048CE8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\77AF494807BB41A0B4B67AEEC51F85C6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\97823DC673AD0F92AB9B83F4C177678B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D209D533EE8C97B5E2C46D035373F422.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AA44637A243C8CA317FA500EB39EAFDF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C3A0BE17B37ACE48BE78B31580231AE9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\CBD66ABF99AFFFA4375E215A3072C696.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0772EA28C9AD9F026AA9F29EE684B717.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof	mofcomp.exe
File created	C:\Windows\system32\perfh009.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\42C894EEACAD83A4E41154685841B3E1.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8636DC7F9479DACE6778109CB4FB4B01.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A09A7FDBA9278B3329DD4662E80BFE42.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\76FC6ECE6E69615238BD782572B6AE9A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2E4D1429BE1911C37755271D939627EF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3BB9AB7BAA63F54A0832A3003DBC2FD0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\844A429FB6680A32838047A6271F8CD9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\38EE6C630467A006990C5977C3058C94.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8C226ACD9934CF6AC0A2FED330FF195D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8EE8FC83289049798EE5B66322A8DA45.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D38FFA40EC29A055EB37EBD604093C62.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\22BD4E705855FAECE7FFAB23C49D3662.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9792C1210EF405B66D63B9792E3E9FB3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\ADC76C6473F1C3722A0A86C2A9AED340.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	regsvr32.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0C5C729E970878A5B11C5AE54A0B179.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\28A02B0A6F3BEA0572B8F35350D88657.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\4A870B469F34065CA18AB1FDF6312BDF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\37134956F76D3C30C9BE0C12571CAF43.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AFFA4734C9FA7C4A3BDE5528A94427A4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A7575F8DE31A912FFE91A7A41B1E382A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\6FFF7467A5B40765D5740A413CA8BB8A.mof	mofcomp.exe
File created	C:\Windows\system32\perfc009.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\C81ACF420917AA0F87487BC4D958BEB4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A4E4450F82FCBDED5A110855857A16B9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\B3D1279CF76B72D4874D43A6EF458EF8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B0CDB37CD965AA678CCF2531689C22DE.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\3A01647A9113490045B9D4AE10390941.mof	mofcomp.exe

Drops file in Windows directory 10 IoCs

Processes:

Peki_Spoofer_V4.exeDevManView.exeregsvr32.exePeki Spoofer V4.exePeki_Spoofer_V4.exeDevManView.exe

description	ioc	process
File created	C:\Windows\INF\FNCLEAN.bat	Peki_Spoofer_V4.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File created	C:\Windows\INF\Peki_Spoofer_V4.exe	Peki Spoofer V4.exe
File opened for modification	C:\Windows\INF\Peki_Spoofer_V4.exe	Peki_Spoofer_V4.exe
File created	C:\Windows\INF\dr43.exe	Peki_Spoofer_V4.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3880 sc.exe
4228 sc.exe
1692 sc.exe
1092 sc.exe
4840 sc.exe
3768 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3880	sc.exe
4228	sc.exe
1692	sc.exe
1092	sc.exe
4840	sc.exe
3768	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Control	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5052	taskkill.exe
2084	taskkill.exe
4328	taskkill.exe
4948	taskkill.exe
1036	taskkill.exe
1816	taskkill.exe
1404	taskkill.exe
6908	taskkill.exe
2028	taskkill.exe
656	taskkill.exe
6752	taskkill.exe
4568	taskkill.exe
3872	taskkill.exe
2156	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585475979511782"	chrome.exe

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{72970BEB-81F8-46D4-B220-D743F4E49C95}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WINMGMTS\ = "Wbem Scripting Object Path"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6B661-167E-4957-AD77-286AB256585E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD4F53E0-65DC-11D1-AB64-00C04FD9159E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41572-91DD-11D1-AEB2-00C04FB68820}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7A3A54B-0250-11D3-9CD1-00105A1F4801}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E5-62E8-11D1-AD89-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{ED999FF5-223A-4052-8ECE-0B10C8DBAA39}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{631F7D97-D993-11D2-B339-00105A1F4AAF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\NotInsertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemNamedValueSet.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04963311-C399-408E-AD51-05D01506EED0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD209E2E-813B-41C0-8646-4C3E9C917511}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37196B39-CCCF-11D2-B35C-00105A1F8177}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C49E32C6-BC8B-11D2-85D4-00105A1F8304}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFABA8C-1523-11D1-AD79-00C04FD8FDFF}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv\CurVer\ = "JobObjectProv.JobObjectProv.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink\CurVer\ = "WbemScripting.SWbemSink.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35B78F79-B973-48C8-A045-CAEC732A35D5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DE225BF-CF59-4CFC-85F7-68B90F185355}\NotInsertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet\ = "WBEM Scripting Named Value Collection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1B55910-8BA0-47A5-A16E-2B733B1D987C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E4EDDE-475A-498A-93D7-D4347F68A8F3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B60EF4F1-A411-462B-B51E-477CBDBB90B4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\software\classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\Implemented Categories\{00000003-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A504CA2-CA90-4731-87BC-6E99CA2019AF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjIOActgInfoProv.JobObjIOActgInfoProv\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjIOActgInfoProv.JobObjIOActgInfoProv.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{523A581F-EC58-40CE-99D3-36BF7897F3EC}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{C10B4771-4DA0-11D2-A2F5-00C04F86FB7D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA6-7508-11D1-AD94-00C04FD8FDFF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C9273E0-1DC3-11D3-B364-00105A1F8177}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}	WmiPrvSE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\LaunchPermission = 010004804800000054000000000000001400000002003400020000000100180001000000010200000000000520000000210200000000140001000000010100000000000512000000010100000000000512000000010100000000000512000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC9EA02A-2C8A-4ACD-B562-D7E8EBEE8E8E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6B661-167E-4957-AD77-286AB256585E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41AA40E6-2FBA-4E80-ADE9-34306567206D}\ProxyStubClsid32	regsvr32.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Peki_Spoofer_V4.exe:Zone.Identifier firefox.exe
Runs net.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Peki_Spoofer_V4.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

chrome.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

pid	process
2988	chrome.exe
2988	chrome.exe
5316	msedge.exe
5316	msedge.exe
568	msedge.exe
568	msedge.exe
5864	msedge.exe
5864	msedge.exe
6056	msedge.exe
6056	msedge.exe
5760	identity_helper.exe
5760	identity_helper.exe
6548	DevManView.exe
6548	DevManView.exe
6532	DevManView.exe
6532	DevManView.exe
4600	DevManView.exe
4600	DevManView.exe
4588	DevManView.exe
4588	DevManView.exe
2916	DevManView.exe
2916	DevManView.exe
3384	DevManView.exe
3384	DevManView.exe
6560	DevManView.exe
6560	DevManView.exe
2672	DevManView.exe
2672	DevManView.exe
6568	DevManView.exe
6568	DevManView.exe
2408	DevManView.exe
2408	DevManView.exe
3676	DevManView.exe
3676	DevManView.exe
4792	DevManView.exe
4792	DevManView.exe
4652	DevManView.exe
4652	DevManView.exe
6588	DevManView.exe
6588	DevManView.exe
6636	DevManView.exe
6636	DevManView.exe

Suspicious behavior: LoadsDriver 10 IoCs

Processes:

pid process

684
684
684
684
684
684
684
684
684
684

pid	process
684
684
684
684
684
684
684
684
684
684

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

chrome.exefirefox.exemsedge.exe

pid	process
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

chrome.exefirefox.exemsedge.exe

pid	process
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

firefox.exePeki_Spoofer_V4.exePeki_Spoofer_V4.exeidentity_helper.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exe

pid	process
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
1688	Peki_Spoofer_V4.exe
4264	Peki_Spoofer_V4.exe
5760	identity_helper.exe
6532	DevManView.exe
6548	DevManView.exe
4600	DevManView.exe
4588	DevManView.exe
2916	DevManView.exe
3384	DevManView.exe
6560	DevManView.exe
2672	DevManView.exe
6568	DevManView.exe
2408	DevManView.exe
3676	DevManView.exe
4792	DevManView.exe
4652	DevManView.exe
6588	DevManView.exe
6636	DevManView.exe
6684	AMIDEWINx64.exe
412	AMIDEWINx64.exe
1180	AMIDEWINx64.exe
4412	AMIDEWINx64.exe
4760	AMIDEWINx64.exe
3572	AMIDEWINx64.exe
252	AMIDEWINx64.exe
248	AMIDEWINx64.exe
3048	AMIDEWINx64.exe
2296	AMIDEWINx64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Peki Spoofer V4.execmd.exechrome.exe

description	pid	process	target process
PID 4656 wrote to memory of 2036	4656	Peki Spoofer V4.exe	cmd.exe
PID 4656 wrote to memory of 2036	4656	Peki Spoofer V4.exe	cmd.exe
PID 2036 wrote to memory of 3900	2036	cmd.exe	certutil.exe
PID 2036 wrote to memory of 3900	2036	cmd.exe	certutil.exe
PID 2036 wrote to memory of 2784	2036	cmd.exe	find.exe
PID 2036 wrote to memory of 2784	2036	cmd.exe	find.exe
PID 2036 wrote to memory of 4412	2036	cmd.exe	find.exe
PID 2036 wrote to memory of 4412	2036	cmd.exe	find.exe
PID 4656 wrote to memory of 2360	4656	Peki Spoofer V4.exe	cmd.exe
PID 4656 wrote to memory of 2360	4656	Peki Spoofer V4.exe	cmd.exe
PID 4656 wrote to memory of 2752	4656	Peki Spoofer V4.exe	cmd.exe
PID 4656 wrote to memory of 2752	4656	Peki Spoofer V4.exe	cmd.exe
PID 4656 wrote to memory of 5108	4656	Peki Spoofer V4.exe	cmd.exe
PID 4656 wrote to memory of 5108	4656	Peki Spoofer V4.exe	cmd.exe
PID 2988 wrote to memory of 4292	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 4292	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1496	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1892	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 1892	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe
PID 2988 wrote to memory of 2540	2988	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Peki Spoofer V4.exe
"C:\Users\Admin\AppData\Local\Temp\Peki Spoofer V4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Peki Spoofer V4.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Peki Spoofer V4.exe" MD5
3⤵
PID:3900

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:2784

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 5
2⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffe8ccdab58,0x7ffe8ccdab68,0x7ffe8ccdab78
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:2
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:1
2⤵
PID:472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:1
2⤵
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3492 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:1
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4316 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:8
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4364 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:8
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:8
2⤵
PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:8
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:8
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4692 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:1
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3376 --field-trial-handle=1744,i,10634657235060286548,671162046993430370,131072 /prefetch:1
2⤵
PID:3896

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.0.271529817\1128449482" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {273f87e1-00b7-4aa0-bced-3de8ee9e928d} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 1848 24a56d15258 gpu
3⤵
PID:3892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.1.1192983663\1507014158" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87f40d77-715e-420c-8a17-83768f3a99e1} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 2372 24a4a088d58 socket
3⤵
- Checks processor information in registry
PID:2784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.2.368476016\866703993" -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3080 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbf44ec6-b982-48f1-b7b7-ee2f9fe02a50} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 3052 24a596fca58 tab
3⤵
PID:3348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.3.1968064196\1691590406" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c353e9c0-3dde-42d6-8817-fb7a7e0f4cea} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 924 24a4a079658 tab
3⤵
PID:3680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.4.1926561192\1933987888" -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5276 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {889ef764-b7f8-405c-8859-7657c997cbef} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5264 24a5f213958 tab
3⤵
PID:2932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.5.576684673\1315822649" -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80193b78-4bf0-4aa8-8ded-c1bfb0527ee9} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5352 24a5f379858 tab
3⤵
PID:3852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.6.1968222787\256711007" -childID 5 -isForBrowser -prefsHandle 5412 -prefMapHandle 5244 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fc618a2-1cf2-459f-a64c-f4551d549bda} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5400 24a5f377d58 tab
3⤵
PID:3700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.7.1523459742\1276255425" -childID 6 -isForBrowser -prefsHandle 5412 -prefMapHandle 5588 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29575188-bacf-40a8-856f-d13b4f6e6109} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5804 24a5fe99c58 tab
3⤵
PID:2188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.8.639387566\267547732" -childID 7 -isForBrowser -prefsHandle 6308 -prefMapHandle 3452 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf61df23-3f68-4efa-872e-69d98fca3425} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 6280 24a5c4c9c58 tab
3⤵
PID:2752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.9.147390476\331605548" -parentBuildID 20230214051806 -prefsHandle 6320 -prefMapHandle 6556 -prefsLen 27774 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {325d8cad-d4d4-4b52-b941-94156743cc49} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 6576 24a5fe7fe58 rdd
3⤵
PID:4140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.10.1511155658\679773157" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6568 -prefMapHandle 6564 -prefsLen 27774 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ea51ee4-0068-473c-a2cb-42181ed67b91} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 6592 24a5fe9a558 utility
3⤵
PID:4916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.11.1152539058\1501336841" -childID 8 -isForBrowser -prefsHandle 5336 -prefMapHandle 5268 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37b4acd1-3f70-4b4a-931f-786dec2e9b2d} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5540 24a59660758 tab
3⤵
PID:4772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.12.1017778682\1296452238" -childID 9 -isForBrowser -prefsHandle 6832 -prefMapHandle 2996 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1647acf-6304-4ab0-b9e9-185d413c8e1b} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5268 24a5b6bb058 tab
3⤵
PID:2104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.13.1859321061\381314250" -parentBuildID 20230214051806 -sandboxingKind 0 -prefsHandle 5496 -prefMapHandle 6104 -prefsLen 28175 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {739af0f5-f286-439b-8234-e0b8a51ca5b0} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5568 24a5e8afa58 utility
3⤵
PID:868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
1⤵
PID:4072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4940

C:\Users\Admin\Downloads\Peki_Spoofer_V4.exe
"C:\Users\Admin\Downloads\Peki_Spoofer_V4.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Peki_Spoofer_V4.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
PID:4620

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\Downloads\Peki_Spoofer_V4.exe" MD5
3⤵
PID:1496

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:4200

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 5
2⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\INF\Peki_Spoofer_V4.exe
2⤵
PID:4836

C:\Windows\INF\Peki_Spoofer_V4.exe
C:\Windows\INF\Peki_Spoofer_V4.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Peki Spoofer V4
4⤵
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color 1f
4⤵
PID:568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/akfDT6Gb8K
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe7a343cb8,0x7ffe7a343cc8,0x7ffe7a343cd8
5⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2
5⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
5⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
5⤵
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
5⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
5⤵
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5232 /prefetch:8
5⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5216 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
5⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
5⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
5⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5518764155973309625,8347246835655281308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
5⤵
PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color f
4⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic diskdrive get model, serialnumber
4⤵
PID:5884

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get model, serialnumber
5⤵
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
4⤵
PID:6140

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
5⤵
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
4⤵
PID:1148

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
5⤵
PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c getmac
4⤵
PID:5620

C:\Windows\system32\getmac.exe
getmac
5⤵
PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color f
4⤵
PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d "f0ff5e34-dbfa-bdb1-2717c125c5fe875b" /f
4⤵
PID:6416

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d "f0ff5e34-dbfa-bdb1-2717c125c5fe875b" /f
5⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDconfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d "{f0ff5e34-dbfa-bdb1-2717c125c5fe875b"} /f
4⤵
PID:7004

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDconfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d "{f0ff5e34-dbfa-bdb1-2717c125c5fe875b"} /f
5⤵
PID:7020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v NetworkAddress /t REG_SZ /d "7f3233615dca" /f
4⤵
PID:6416

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v NetworkAddress /t REG_SZ /d "7f3233615dca" /f
5⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\INF\dr43.exe
4⤵
PID:6484

C:\Windows\INF\dr43.exe
C:\Windows\INF\dr43.exe
5⤵
- Executes dropped EXE
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\lol.bat
6⤵
PID:6520

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6532

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "Disk drive*" /use_wildcard""
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6548

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "C:\"
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4600

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "D:\"
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4588

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "E:\"
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2916

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "F:\"
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3384

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "G:\"
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6560

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "Disk"
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6568

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "disk"
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2672

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "Disk&*" /use_wildcard""
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2408

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3676

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4792

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4652

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "STORAGE*" /use_wildcard""
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6588

C:\ProgramData\Microsoft\Windows\DevManView.exe
DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%PR-WARE%RANDOM%SS
6⤵
PID:6668

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 15370PR-WARE2751SS
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%PR-WARE%RANDOM%SV
6⤵
PID:2872

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 215370PR-WARE2751SV
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%PR-WARE%RANDOM%SV
6⤵
PID:6712

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 815370PR-WARE2751SV
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
6⤵
PID:3588

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%PR-WARE%RANDOM%SK
6⤵
PID:3256

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 515370PR-WARE2751SK
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%PR-WARE%RANDOM%BM
6⤵
PID:2700

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 415370PR-WARE2751BM
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%PR-WARE%RANDOM%BS
6⤵
PID:2108

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 615373PR-WARE13499BS
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%PR-WARE%RANDOM%BV
6⤵
PID:4248

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 315373PR-WARE13499BV
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%PR-WARE%RANDOM%PSN
6⤵
PID:3144

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 715373PR-WARE13499PSN
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM Costa-Tech-Support
6⤵
PID:992

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM Costa-Tech-Support
7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
6⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\amide.sys
6⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
6⤵
PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM DevManView.exe /F
6⤵
PID:6736

C:\Windows\system32\taskkill.exe
taskkill /IM DevManView.exe /F
7⤵
- Kills process with taskkill
PID:6752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\DevManView.exe
6⤵
PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\DevManView.cfg
6⤵
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\DevManView.chm
6⤵
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\lol.bat
6⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color f
4⤵
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic diskdrive get model, serialnumber
4⤵
PID:6812

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get model, serialnumber
5⤵
PID:6824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
4⤵
PID:2344

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
5⤵
PID:6860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
4⤵
PID:6896

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
5⤵
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c getmac
4⤵
PID:3488

C:\Windows\system32\getmac.exe
getmac
5⤵
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color f
4⤵
PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\INF\FNCLEAN.bat
4⤵
PID:6608

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
5⤵
PID:6920

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
5⤵
- Cerber
- Kills process with taskkill
PID:1404

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
5⤵
- Cerber
- Kills process with taskkill
PID:6908

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
5⤵
- Cerber
- Kills process with taskkill
PID:2028

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
5⤵
- Cerber
- Kills process with taskkill
PID:4568

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
5⤵
- Cerber
- Kills process with taskkill
PID:5052

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
5⤵
- Cerber
- Kills process with taskkill
PID:2084

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
5⤵
- Cerber
- Kills process with taskkill
PID:4328

C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
5⤵
- Cerber
- Kills process with taskkill
PID:1036

C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
5⤵
- Cerber
- Kills process with taskkill
PID:3872

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
5⤵
- Cerber
- Kills process with taskkill
PID:4948

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
5⤵
- Cerber
- Kills process with taskkill
PID:2156

C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
5⤵
- Cerber
- Kills process with taskkill
PID:1816

C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
5⤵
- Cerber
- Kills process with taskkill
PID:656

C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
5⤵
- Launches sc.exe
PID:4228

C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
5⤵
- Launches sc.exe
PID:1692

C:\Windows\system32\sc.exe
Sc stop BattleEye
5⤵
- Launches sc.exe
PID:1092

C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
5⤵
- Launches sc.exe
PID:4840

C:\Windows\system32\sc.exe
sc config winmgmt start= disabled
5⤵
- Launches sc.exe
PID:3768

C:\Windows\system32\net.exe
net stop winmgmt /y
5⤵
PID:3080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
6⤵
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b *.dll
5⤵
PID:2832

C:\Windows\system32\regsvr32.exe
regsvr32 /s appbackgroundtask.dll
5⤵
PID:400

C:\Windows\system32\regsvr32.exe
regsvr32 /s cimwin32.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:4560

C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv.dll
5⤵
PID:2244

C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv1.dll
5⤵
PID:1392

C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientcim.dll
5⤵
PID:1736

C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientpsprovider.dll
5⤵
PID:6068

C:\Windows\system32\regsvr32.exe
regsvr32 /s Dscpspluginwkr.dll
5⤵
PID:3788

C:\Windows\system32\regsvr32.exe
regsvr32 /s dsprov.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:7032

C:\Windows\system32\regsvr32.exe
regsvr32 /s EmbeddedLockdownWmi.dll
5⤵
PID:7008

C:\Windows\system32\regsvr32.exe
regsvr32 /s esscli.dll
5⤵
- Registers COM server for autorun
PID:1440

C:\Windows\system32\regsvr32.exe
regsvr32 /s EventTracingManagement.dll
5⤵
PID:5936

C:\Windows\system32\regsvr32.exe
regsvr32 /s fastprox.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:7080

C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprr.dll
5⤵
PID:7096

C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprv.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:7128

C:\Windows\system32\regsvr32.exe
regsvr32 /s KrnlProv.dll
5⤵
PID:7108

C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMAppProv.dll
5⤵
PID:5260

C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMSettingsProv.dll
5⤵
PID:7156

C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
5⤵
PID:5376

C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.Uev.AgentWmi.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:6164

C:\Windows\system32\regsvr32.exe
regsvr32 /s MMFUtil.dll
5⤵
PID:6180

C:\Windows\system32\regsvr32.exe
regsvr32 /s mofd.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:6196

C:\Windows\system32\regsvr32.exe
regsvr32 /s mofinstall.dll
5⤵
PID:6212

C:\Windows\system32\regsvr32.exe
regsvr32 /s msdtcwmi.dll
5⤵
PID:6276

C:\Windows\system32\regsvr32.exe
regsvr32 /s msiprov.dll
5⤵
PID:6048

C:\Windows\system32\regsvr32.exe
regsvr32 /s NCProv.dll
5⤵
PID:6076

C:\Windows\system32\regsvr32.exe
regsvr32 /s ndisimplatcim.dll
5⤵
PID:6148

C:\Windows\system32\regsvr32.exe
regsvr32 /s NetAdapterCim.dll
5⤵
PID:6248

C:\Windows\system32\regsvr32.exe
regsvr32 /s netdacim.dll
5⤵
PID:6176

C:\Windows\system32\regsvr32.exe
regsvr32 /s NetEventPacketCapture.dll
5⤵
PID:5684

C:\Windows\system32\regsvr32.exe
regsvr32 /s netnccim.dll
5⤵
PID:5696

C:\Windows\system32\regsvr32.exe
regsvr32 /s NetPeerDistCim.dll
5⤵
PID:5712

C:\Windows\system32\regsvr32.exe
regsvr32 /s netswitchteamcim.dll
5⤵
PID:5952

C:\Windows\system32\regsvr32.exe
regsvr32 /s NetTCPIP.dll
5⤵
PID:5796

C:\Windows\system32\regsvr32.exe
regsvr32 /s netttcim.dll
5⤵
PID:5292

C:\Windows\system32\regsvr32.exe
regsvr32 /s nlmcim.dll
5⤵
PID:5360

C:\Windows\system32\regsvr32.exe
regsvr32 /s ntevt.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:1216

C:\Windows\system32\regsvr32.exe
regsvr32 /s PolicMan.dll
5⤵
PID:364

C:\Windows\system32\regsvr32.exe
regsvr32 /s PrintManagementProvider.dll
5⤵
PID:3108

C:\Windows\system32\regsvr32.exe
regsvr32 /s qoswmi.dll
5⤵
PID:5732

C:\Windows\system32\regsvr32.exe
regsvr32 /s RacWmiProv.dll
5⤵
PID:5584

C:\Windows\system32\regsvr32.exe
regsvr32 /s repdrvfs.dll
5⤵
- Registers COM server for autorun
PID:5620

C:\Windows\system32\regsvr32.exe
regsvr32 /s schedprov.dll
5⤵
PID:5616

C:\Windows\system32\regsvr32.exe
regsvr32 /s ServDeps.dll
5⤵
PID:6260

C:\Windows\system32\regsvr32.exe
regsvr32 /s SMTPCons.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:6296

C:\Windows\system32\regsvr32.exe
regsvr32 /s stdprov.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:6116

C:\Windows\system32\regsvr32.exe
regsvr32 /s vdswmi.dll
5⤵
- Registers COM server for autorun
PID:6320

C:\Windows\system32\regsvr32.exe
regsvr32 /s viewprov.dll
5⤵
PID:6324

C:\Windows\system32\regsvr32.exe
regsvr32 /s vpnclientpsprovider.dll
5⤵
PID:1276

C:\Windows\system32\regsvr32.exe
regsvr32 /s vsswmi.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:6356

C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcntl.dll
5⤵
- Registers COM server for autorun
PID:5320

C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcons.dll
5⤵
- Modifies registry class
PID:5324

C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcore.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:5352

C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemdisp.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:5656

C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemess.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:6384

C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemprox.dll
5⤵
- Registers COM server for autorun
PID:3028

C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemsvc.dll
5⤵
- Modifies registry class
PID:5196

C:\Windows\system32\regsvr32.exe
regsvr32 /s WdacWmiProv.dll
5⤵
PID:6412

C:\Windows\system32\regsvr32.exe
regsvr32 /s wfascim.dll
5⤵
PID:6432

C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_EncryptableVolume.dll
5⤵
PID:6464

C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_Tpm.dll
5⤵
PID:1284

C:\Windows\system32\regsvr32.exe
regsvr32 /s WinMgmtR.dll
5⤵
PID:5748

C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRes.dll
5⤵
PID:5916

C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRpl.dll
5⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:5604

C:\Windows\system32\regsvr32.exe
regsvr32 /s WMICOOKR.dll
5⤵
PID:5828

C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiDcPrv.dll
5⤵
- Registers COM server for autorun
PID:5592

C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipcima.dll
5⤵
- Registers COM server for autorun
PID:5840

C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdfs.dll
5⤵
PID:1464

C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdskq.dll
5⤵
PID:6084

C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfClass.dll
5⤵
- Registers COM server for autorun
PID:2636

C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfInst.dll
5⤵
- Registers COM server for autorun
PID:4844

C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPICMP.dll
5⤵
- Registers COM server for autorun
PID:6476

C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPIPRT.dll
5⤵
- Registers COM server for autorun
PID:6436

C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPJOBJ.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:2440

C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiprov.dll
5⤵
- Modifies registry class
PID:6500

C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPrvSD.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:816

C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPSESS.dll
5⤵
PID:6544

C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIsvc.dll
5⤵
- Sets DLL path for service in the registry
- Modifies registry class
PID:3608

C:\Windows\system32\regsvr32.exe
regsvr32 /s wmitimep.dll
5⤵
PID:2020

C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiutils.dll
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:4492

C:\Windows\System32\wbem\WmiPrvSE.exe
wmiprvse /regserver
5⤵
- Modifies registry class
PID:6540

C:\Windows\System32\wbem\WinMgmt.exe
winmgmt /regserver
5⤵
PID:2076

C:\Windows\system32\sc.exe
sc config winmgmt start= auto
5⤵
- Launches sc.exe
PID:3880

C:\Windows\system32\net.exe
net start winmgmt
5⤵
PID:3248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start winmgmt
6⤵
PID:6548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
5⤵
PID:6568

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\aeinv.mof
5⤵
- Drops file in System32 directory
PID:2672

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmi.mof
5⤵
- Drops file in System32 directory
PID:4964

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
5⤵
- Drops file in System32 directory
PID:3308

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
5⤵
PID:2712

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
5⤵
PID:4944

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AuditRsop.mof
5⤵
PID:1552

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\authfwcfg.mof
5⤵
PID:2108

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\bcd.mof
5⤵
PID:1380

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
5⤵
PID:6732

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimdmtf.mof
5⤵
- Drops file in System32 directory
PID:6764

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimwin32.mof
5⤵
- Drops file in System32 directory
PID:6792

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\CIWmi.mof
5⤵
- Drops file in System32 directory
PID:1504

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\classlog.mof
5⤵
PID:2980

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cli.mof
5⤵
- Drops file in System32 directory
PID:852

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cliegaliases.mof
5⤵
PID:6824

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ddp.mof
5⤵
- Drops file in System32 directory
PID:6860

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsjob.mof
5⤵
PID:3724

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsroam.mof
5⤵
PID:4848

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
5⤵
PID:4584

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
5⤵
- Drops file in System32 directory
PID:1068

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
5⤵
PID:2992

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
5⤵
PID:6948

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
5⤵
- Drops file in System32 directory
PID:1468

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
5⤵
- Drops file in System32 directory
PID:3548

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
5⤵
PID:336

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\drvinst.mof
5⤵
PID:4628

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCore.mof
5⤵
PID:6960

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
5⤵
- Drops file in System32 directory
PID:4140

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dscproxy.mof
5⤵
- Drops file in System32 directory
PID:6620

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscTimer.mof
5⤵
PID:3480

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dsprov.mof
5⤵
- Drops file in System32 directory
PID:6984

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\eaimeapi.mof
5⤵
PID:1640

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
5⤵
PID:2752

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
5⤵
PID:5184

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
5⤵
- Drops file in System32 directory
PID:5140

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdPHost.mof
5⤵
PID:1680

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdrespub.mof
5⤵
PID:4048

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdSSDP.mof
5⤵
PID:4572

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWNet.mof
5⤵
PID:4112

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWSD.mof
5⤵
PID:2188

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\filetrace.mof
5⤵
PID:7020

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\firewallapi.mof
5⤵
PID:7092

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
5⤵
- Drops file in System32 directory
PID:7120

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FunDisc.mof
5⤵
PID:7160

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fwcfg.mof
5⤵
PID:6092

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hbaapi.mof
5⤵
PID:6196

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hnetcfg.mof
5⤵
- Drops file in System32 directory
PID:6044

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
5⤵
PID:7036

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
5⤵
PID:5708

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
5⤵
PID:5664

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\interop.mof
5⤵
- Drops file in System32 directory
PID:5292

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
5⤵
PID:4540

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipmiprv.mof
5⤵
- Drops file in System32 directory
PID:5472

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
5⤵
PID:6300

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
5⤵
PID:6116

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsidsc.mof
5⤵
- Drops file in System32 directory
PID:6344

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsihba.mof
5⤵
- Drops file in System32 directory
PID:5836

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiprf.mof
5⤵
PID:6364

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsirem.mof
5⤵
PID:3028

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
5⤵
- Drops file in System32 directory
PID:6412

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
5⤵
PID:5876

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\kerberos.mof
5⤵
PID:5916

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\krnlprov.mof
5⤵
- Drops file in System32 directory
PID:5944

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\L2SecHC.mof
5⤵
- Drops file in System32 directory
PID:5964

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdio.mof
5⤵
PID:5240

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdsvc.mof
5⤵
PID:5272

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lsasrv.mof
5⤵
PID:5264

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mblctr.mof
5⤵
PID:5336

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
5⤵
PID:5832

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
5⤵
- Drops file in System32 directory
PID:6084

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
5⤵
PID:6476

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
5⤵
PID:6504

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
5⤵
PID:2996

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
5⤵
PID:4056

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
5⤵
- Drops file in System32 directory
PID:912

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
5⤵
- Drops file in System32 directory
PID:748

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
5⤵
PID:6688

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace.mof
5⤵
PID:1932

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
5⤵
PID:1572

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mmc.mof
5⤵
PID:4556

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mountmgr.mof
5⤵
PID:1172

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpeval.mof
5⤵
PID:2792

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpsdrv.mof
5⤵
PID:3136

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpssvc.mof
5⤵
PID:4824

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
5⤵
- Drops file in System32 directory
PID:6724

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeeds.mof
5⤵
PID:6756

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
5⤵
PID:1756

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msi.mof
5⤵
PID:6752

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msiscsi.mof
5⤵
PID:232

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
5⤵
- Drops file in System32 directory
PID:4604

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstsc.mof
5⤵
PID:6812

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstscax.mof
5⤵
PID:2344

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msv1_0.mof
5⤵
PID:6896

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mswmdm.mof
5⤵
PID:200

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncprov.mof
5⤵
- Drops file in System32 directory
PID:1836

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncsi.mof
5⤵
PID:3404

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ndistrace.mof
5⤵
PID:4624

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
5⤵
PID:6904

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
5⤵
- Drops file in System32 directory
PID:2028

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
5⤵
PID:2368

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
5⤵
PID:2084

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim.mof
5⤵
- Drops file in System32 directory
PID:3860

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
5⤵
PID:796

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
5⤵
- Drops file in System32 directory
PID:3084

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
5⤵
PID:868

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim.mof
5⤵
PID:1692

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
5⤵
PID:3088

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
5⤵
- Drops file in System32 directory
PID:924

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
5⤵
PID:4772

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netprofm.mof
5⤵
PID:5144

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
5⤵
- Drops file in System32 directory
PID:5228

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
5⤵
PID:2652

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
5⤵
PID:2832

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim.mof
5⤵
PID:400

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
5⤵
PID:6936

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
5⤵
PID:4728

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\newdev.mof
5⤵
PID:7032

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlasvc.mof
5⤵
PID:7008

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim.mof
5⤵
PID:7096

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
5⤵
PID:6228

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlsvc.mof
5⤵
PID:2068

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\npivwmi.mof
5⤵
PID:6164

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nshipsec.mof
5⤵
PID:6220

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntevt.mof
5⤵
- Drops file in System32 directory
PID:6160

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntfs.mof
5⤵
PID:5612

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
5⤵
- Drops file in System32 directory
PID:5720

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
5⤵
PID:5952

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
5⤵
PID:6064

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
5⤵
PID:6136

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
5⤵
PID:6240

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
5⤵
PID:6296

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
5⤵
PID:6328

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
5⤵
PID:5352

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
5⤵
PID:5836

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PolicMan.mof
5⤵
- Drops file in System32 directory
PID:6384

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polproc.mof
5⤵
PID:6400

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprocl.mof
5⤵
PID:6020

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprou.mof
5⤵
PID:5648

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polstore.mof
5⤵
PID:7048

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
5⤵
PID:5488

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
5⤵
PID:5160

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
5⤵
PID:5316

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
5⤵
PID:5312

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
5⤵
PID:5824

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
5⤵
- Drops file in System32 directory
PID:1944

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
5⤵
PID:6460

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
5⤵
- Drops file in System32 directory
PID:5176

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
5⤵
- Drops file in System32 directory
PID:5060

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
5⤵
PID:4076

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
5⤵
PID:4852

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
5⤵
- Drops file in System32 directory
PID:4080

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
5⤵
PID:6548

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qmgr.mof
5⤵
PID:3384

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi.mof
5⤵
PID:1592

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
5⤵
PID:2872

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
5⤵
PID:4412

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
5⤵
PID:1220

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
5⤵
- Drops file in System32 directory
PID:2268

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpendp.mof
5⤵
- Drops file in System32 directory
PID:392

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpinit.mof
5⤵
PID:2796

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpshell.mof
5⤵
PID:992

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refs.mof
5⤵
PID:6592

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refsv1.mof
5⤵
PID:776

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\regevent.mof
5⤵
- Drops file in System32 directory
PID:1756

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
5⤵
- Drops file in System32 directory
PID:6752

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rsop.mof
5⤵
- Drops file in System32 directory
PID:852

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rspndr.mof
5⤵
PID:6824

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\samsrv.mof
5⤵
PID:6852

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scersop.mof
5⤵
- Drops file in System32 directory
PID:3096

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\schannel.mof
5⤵
PID:2688

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SchedProv.mof
5⤵
- Drops file in System32 directory
PID:6528

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scm.mof
5⤵
- Drops file in System32 directory
PID:4584

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scrcons.mof
5⤵
- Drops file in System32 directory
PID:1068

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sdbus.mof
5⤵
PID:2992

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\secrcw32.mof
5⤵
PID:4568

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
5⤵
PID:2236

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel.mof
5⤵
- Drops file in System32 directory
PID:332

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
5⤵
PID:336

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\services.mof
5⤵
PID:4220

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\setupapi.mof
5⤵
PID:6960

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
5⤵
- Drops file in System32 directory
PID:3448

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
5⤵
- Drops file in System32 directory
PID:3200

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smtpcons.mof
5⤵
- Drops file in System32 directory
PID:1052

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sppwmi.mof
5⤵
PID:2972

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sr.mof
5⤵
PID:5284

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sstpsvc.mof
5⤵
PID:3704

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi.mof
5⤵
PID:1712

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
5⤵
- Drops file in System32 directory
PID:1680

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
5⤵
PID:5092

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
5⤵
PID:4880

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\stortrace.mof
5⤵
PID:2188

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\subscrpt.mof
5⤵
PID:7032

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\system.mof
5⤵
PID:7136

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tcpip.mof
5⤵
PID:7156

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsallow.mof
5⤵
PID:6192

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
5⤵
PID:4532

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsmf.mof
5⤵
PID:6156

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tspkg.mof
5⤵
PID:5724

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umb.mof
5⤵
PID:6160

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umbus.mof
5⤵
PID:5612

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpass.mof
5⤵
PID:5640

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
5⤵
PID:5952

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
5⤵
PID:1492

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
5⤵
PID:5584

C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
5⤵
PID:6240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery