2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
Size

8.2MB
MD5

d0903c92f559b7b635ad4fe5f1ec23c9
SHA1

825169238eb46f4167e554e1f53d4b2fe7cadd74
SHA256

2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858
SHA512

d638fe4c3bfc11b4717ad6eeb8ea43aa93ac37bac92af8cf4d771f60e058b15cea3bdb1f4f043b081df7fab13972a7465bc7b69410b703cf6247aa6684e2143c
SSDEEP

196608:Ieq1uQZt6j8lRv935xxRtXLRkxCeO4fdU:Af8j8l1bRt70O4m

Score

9^/10

discovery evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	LiveUpdate360.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	LiveUpdate360.exe

Loads dropped DLL 1 IoCs

pid	Process
2524	cmd.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
776	tasklist.exe
1016	tasklist.exe
876	tasklist.exe
972	tasklist.exe
2108	tasklist.exe
1232	tasklist.exe
2116	tasklist.exe
1012	tasklist.exe
1668	tasklist.exe
2936	tasklist.exe
1068	tasklist.exe
2032	tasklist.exe
2752	tasklist.exe
1472	tasklist.exe
2488	tasklist.exe
2004	tasklist.exe
2084	tasklist.exe
1184	tasklist.exe
1508	tasklist.exe
2376	tasklist.exe
1124	tasklist.exe
1592	tasklist.exe
2308	tasklist.exe
1748	tasklist.exe
924	tasklist.exe
2836	tasklist.exe
2512	tasklist.exe
2152	tasklist.exe
1052	tasklist.exe
1392	tasklist.exe
796	tasklist.exe
972	tasklist.exe
1524	tasklist.exe
1656	tasklist.exe
2740	tasklist.exe
2280	tasklist.exe
1380	tasklist.exe
1268	tasklist.exe
2764	tasklist.exe
2708	tasklist.exe
2948	tasklist.exe
832	tasklist.exe
2932	tasklist.exe
776	tasklist.exe
364	tasklist.exe
2212	tasklist.exe
1348	tasklist.exe
2832	tasklist.exe
2424	tasklist.exe
2400	tasklist.exe
2100	tasklist.exe
936	tasklist.exe
2416	tasklist.exe
360	tasklist.exe
2504	tasklist.exe
2536	tasklist.exe
2548	tasklist.exe
432	tasklist.exe
2044	tasklist.exe
2100	tasklist.exe
2576	tasklist.exe
3068	tasklist.exe
840	tasklist.exe
3040	tasklist.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1912	ipconfig.exe
1872	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
2544	LiveUpdate360.exe
2544	LiveUpdate360.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	tasklist.exe
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeDebugPrivilege	2752	tasklist.exe
Token: SeDebugPrivilege	936	tasklist.exe
Token: SeDebugPrivilege	2416	tasklist.exe
Token: SeDebugPrivilege	2152	tasklist.exe
Token: SeDebugPrivilege	2100	tasklist.exe
Token: SeDebugPrivilege	360	tasklist.exe
Token: SeDebugPrivilege	1012	tasklist.exe
Token: SeDebugPrivilege	1052	tasklist.exe
Token: SeDebugPrivilege	832	tasklist.exe
Token: SeDebugPrivilege	1348	tasklist.exe
Token: SeDebugPrivilege	776	tasklist.exe
Token: SeDebugPrivilege	1016	tasklist.exe
Token: SeDebugPrivilege	1392	tasklist.exe
Token: SeDebugPrivilege	1452	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	796	tasklist.exe
Token: SeDebugPrivilege	1988	tasklist.exe
Token: SeDebugPrivilege	2504	tasklist.exe
Token: SeDebugPrivilege	2948	tasklist.exe
Token: SeDebugPrivilege	3068	tasklist.exe
Token: SeDebugPrivilege	2832	tasklist.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	2932	tasklist.exe
Token: SeDebugPrivilege	1380	tasklist.exe
Token: SeDebugPrivilege	1268	tasklist.exe
Token: SeDebugPrivilege	2376	tasklist.exe
Token: SeDebugPrivilege	1592	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	1672	tasklist.exe
Token: SeDebugPrivilege	1524	tasklist.exe
Token: SeDebugPrivilege	840	tasklist.exe
Token: SeDebugPrivilege	1608	tasklist.exe
Token: SeDebugPrivilege	776	tasklist.exe
Token: SeDebugPrivilege	3040	tasklist.exe
Token: SeDebugPrivilege	1472	tasklist.exe
Token: SeDebugPrivilege	876	tasklist.exe
Token: SeDebugPrivilege	1124	tasklist.exe
Token: SeDebugPrivilege	2220	tasklist.exe
Token: SeDebugPrivilege	2764	tasklist.exe
Token: SeDebugPrivilege	2536	tasklist.exe
Token: SeDebugPrivilege	2936	tasklist.exe
Token: SeDebugPrivilege	2488	tasklist.exe
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeDebugPrivilege	2512	tasklist.exe
Token: SeDebugPrivilege	1068	tasklist.exe
Token: SeDebugPrivilege	2576	tasklist.exe
Token: SeDebugPrivilege	1624	tasklist.exe
Token: SeDebugPrivilege	1296	tasklist.exe
Token: SeDebugPrivilege	924	tasklist.exe
Token: SeDebugPrivilege	2092	tasklist.exe
Token: SeDebugPrivilege	1592	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	364	tasklist.exe
Token: SeDebugPrivilege	2032	tasklist.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	2140	tasklist.exe
Token: SeDebugPrivilege	2056	tasklist.exe
Token: SeDebugPrivilege	1656	tasklist.exe
Token: SeDebugPrivilege	2308	tasklist.exe
Token: SeDebugPrivilege	2424	tasklist.exe
Token: SeDebugPrivilege	2972	tasklist.exe
Token: SeDebugPrivilege	2708	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2272	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	30
PID 1628 wrote to memory of 2272	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	30
PID 1628 wrote to memory of 2272	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	30
PID 1628 wrote to memory of 2272	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	30
PID 2272 wrote to memory of 1912	2272	cmd.exe	32
PID 2272 wrote to memory of 1912	2272	cmd.exe	32
PID 2272 wrote to memory of 1912	2272	cmd.exe	32
PID 2272 wrote to memory of 1912	2272	cmd.exe	32
PID 1628 wrote to memory of 2524	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	34
PID 1628 wrote to memory of 2524	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	34
PID 1628 wrote to memory of 2524	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	34
PID 1628 wrote to memory of 2524	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	34
PID 2524 wrote to memory of 2672	2524	cmd.exe	36
PID 2524 wrote to memory of 2672	2524	cmd.exe	36
PID 2524 wrote to memory of 2672	2524	cmd.exe	36
PID 2524 wrote to memory of 2672	2524	cmd.exe	36
PID 2672 wrote to memory of 2548	2672	cmd.exe	37
PID 2672 wrote to memory of 2548	2672	cmd.exe	37
PID 2672 wrote to memory of 2548	2672	cmd.exe	37
PID 2672 wrote to memory of 2548	2672	cmd.exe	37
PID 2672 wrote to memory of 2788	2672	cmd.exe	38
PID 2672 wrote to memory of 2788	2672	cmd.exe	38
PID 2672 wrote to memory of 2788	2672	cmd.exe	38
PID 2672 wrote to memory of 2788	2672	cmd.exe	38
PID 2524 wrote to memory of 2544	2524	cmd.exe	39
PID 2524 wrote to memory of 2544	2524	cmd.exe	39
PID 2524 wrote to memory of 2544	2524	cmd.exe	39
PID 2524 wrote to memory of 2544	2524	cmd.exe	39
PID 2524 wrote to memory of 2544	2524	cmd.exe	39
PID 2524 wrote to memory of 2544	2524	cmd.exe	39
PID 2524 wrote to memory of 2544	2524	cmd.exe	39
PID 2524 wrote to memory of 2028	2524	cmd.exe	40
PID 2524 wrote to memory of 2028	2524	cmd.exe	40
PID 2524 wrote to memory of 2028	2524	cmd.exe	40
PID 2524 wrote to memory of 2028	2524	cmd.exe	40
PID 1628 wrote to memory of 2568	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	41
PID 1628 wrote to memory of 2568	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	41
PID 1628 wrote to memory of 2568	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	41
PID 1628 wrote to memory of 2568	1628	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	41
PID 2568 wrote to memory of 1404	2568	cmd.exe	43
PID 2568 wrote to memory of 1404	2568	cmd.exe	43
PID 2568 wrote to memory of 1404	2568	cmd.exe	43
PID 2568 wrote to memory of 1404	2568	cmd.exe	43
PID 1404 wrote to memory of 2740	1404	cmd.exe	44
PID 1404 wrote to memory of 2740	1404	cmd.exe	44
PID 1404 wrote to memory of 2740	1404	cmd.exe	44
PID 1404 wrote to memory of 2740	1404	cmd.exe	44
PID 1404 wrote to memory of 2892	1404	cmd.exe	45
PID 1404 wrote to memory of 2892	1404	cmd.exe	45
PID 1404 wrote to memory of 2892	1404	cmd.exe	45
PID 1404 wrote to memory of 2892	1404	cmd.exe	45
PID 2568 wrote to memory of 2832	2568	cmd.exe	46
PID 2568 wrote to memory of 2832	2568	cmd.exe	46
PID 2568 wrote to memory of 2832	2568	cmd.exe	46
PID 2568 wrote to memory of 2832	2568	cmd.exe	46
PID 2524 wrote to memory of 2744	2524	cmd.exe	47
PID 2524 wrote to memory of 2744	2524	cmd.exe	47
PID 2524 wrote to memory of 2744	2524	cmd.exe	47
PID 2524 wrote to memory of 2744	2524	cmd.exe	47
PID 2744 wrote to memory of 2752	2744	cmd.exe	48
PID 2744 wrote to memory of 2752	2744	cmd.exe	48
PID 2744 wrote to memory of 2752	2744	cmd.exe	48
PID 2744 wrote to memory of 2752	2744	cmd.exe	48
PID 2744 wrote to memory of 2804	2744	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
"C:\Users\Admin\AppData\Local\Temp\2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\\Users\\Default\\AppData\\Roaming\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2548
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2788
- - C:\Users\Public\Downloads\LiveUpdate360.exe
    "C:\Users\Public\Downloads\LiveUpdate360.exe"
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /all
      4⤵
      PID:1064
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\\Users\\Default\\AppData\\Roaming\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd
      4⤵
      PID:1788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:864
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2604
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:876
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:872
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2620
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2940
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:680
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1652
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2264
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1584
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1096
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2196
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1632
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2232
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1912
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2548
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:2400
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1384
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:264
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        
        PID:2456
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2820
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        
        PID:2052
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2376
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2320
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:1184
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:632
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\\Users\\Default\\AppData\\Roaming\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:1528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2064
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2584
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2580
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2040
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:836
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:536
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:872
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:236
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2528
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2228
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:960
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1396
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:904
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3036
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:764
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:2212
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2844
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:1232
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:680
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2084
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:2100
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1600
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:1668
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1348
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:904
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2752
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2804
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2416
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2100
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2376
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:688
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1012
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1172
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:536
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1348
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1452
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2936
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2504
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2388
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2376
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1648
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1016
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3040
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1748
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2220
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2488
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1404
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2416
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2092
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1620
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1732
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:2948
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:2116
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1900
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:2044
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2912
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:1508
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1648
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\\Users\\Default\\AppData\\Roaming\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2740
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:936
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1296
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2152
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:360
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1592
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:608
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1052
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1184
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:776
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2364
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1748
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2932
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2044
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:360
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1056
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:840
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:832
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:932
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:928
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1616
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2764
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1624
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1828
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2880
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1056
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2308
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1444
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:2108
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2836
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2564
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:432
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1800
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:2280
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1768
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\AppData\Roaming\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd

Filesize
1KB

MD5
12957d9ee5f3911d439ece539d2b5730

SHA1
e8faedc1ce3a9b4ccb4c3950c4231603fa241b7d

SHA256
6704d285fbbc724f9f71dd7792ada86ee688ce334659db09b2bc62e0bbb0cdca

SHA512
56e17ab2d3b85d8a3cf43b8c828b80db715968ee59e33584eebb555bc9d41b25e1821722b7ed41d14f0dc7dbf41eff6d438ab54d956d9d95770c6d860cb494d5

Download Submit
\Users\Public\Downloads\LiveUpdate360.exe

Filesize
8.2MB

MD5
d0903c92f559b7b635ad4fe5f1ec23c9

SHA1
825169238eb46f4167e554e1f53d4b2fe7cadd74

SHA256
2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858

SHA512
d638fe4c3bfc11b4717ad6eeb8ea43aa93ac37bac92af8cf4d771f60e058b15cea3bdb1f4f043b081df7fab13972a7465bc7b69410b703cf6247aa6684e2143c

Download Submit
memory/1628-1-0x0000000001454000-0x0000000001823000-memory.dmp

Filesize
3.8MB

Download
memory/1628-0-0x0000000001390000-0x0000000001BD4000-memory.dmp

Filesize
8.3MB

Download
memory/1628-2-0x0000000001454000-0x0000000001823000-memory.dmp

Filesize
3.8MB

Download
memory/2544-17-0x0000000001380000-0x0000000001BC4000-memory.dmp

Filesize
8.3MB

Download