2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
Size

8.2MB
MD5

d0903c92f559b7b635ad4fe5f1ec23c9
SHA1

825169238eb46f4167e554e1f53d4b2fe7cadd74
SHA256

2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858
SHA512

d638fe4c3bfc11b4717ad6eeb8ea43aa93ac37bac92af8cf4d771f60e058b15cea3bdb1f4f043b081df7fab13972a7465bc7b69410b703cf6247aa6684e2143c
SSDEEP

196608:Ieq1uQZt6j8lRv935xxRtXLRkxCeO4fdU:Af8j8l1bRt70O4m

Score

9^/10

discovery evasion spyware stealer

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	LiveUpdate360.exe

Executes dropped EXE 1 IoCs

pid	Process
4576	LiveUpdate360.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
2924	tasklist.exe
4256	tasklist.exe
4316	tasklist.exe
228	tasklist.exe
1824	tasklist.exe
2364	tasklist.exe
4348	tasklist.exe
3948	tasklist.exe
1564	tasklist.exe
4424	tasklist.exe
964	tasklist.exe
3220	tasklist.exe
2492	tasklist.exe
4820	tasklist.exe
3572	tasklist.exe
3536	tasklist.exe
1984	tasklist.exe
3884	tasklist.exe
3068	tasklist.exe
1692	tasklist.exe
1196	tasklist.exe
3516	tasklist.exe
3536	tasklist.exe
5020	tasklist.exe
2492	tasklist.exe
4792	tasklist.exe
3908	tasklist.exe
3584	tasklist.exe
2232	tasklist.exe
4744	tasklist.exe
4628	tasklist.exe
2772	tasklist.exe
4088	tasklist.exe
5104	tasklist.exe
3220	tasklist.exe
1548	tasklist.exe
3112	tasklist.exe
4528	tasklist.exe
3824	tasklist.exe
4024	tasklist.exe
1468	tasklist.exe
4540	tasklist.exe
4460	tasklist.exe
2320	tasklist.exe
2364	tasklist.exe
2704	tasklist.exe
4828	tasklist.exe
3648	tasklist.exe
2840	tasklist.exe
3996	tasklist.exe
4952	tasklist.exe
3640	tasklist.exe
3552	tasklist.exe
4592	tasklist.exe
624	tasklist.exe
3540	tasklist.exe
2600	tasklist.exe
3684	tasklist.exe
2636	tasklist.exe
3268	tasklist.exe
3996	tasklist.exe
1420	tasklist.exe
3536	tasklist.exe
1420	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1708	ipconfig.exe
3184	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
4576	LiveUpdate360.exe
4576	LiveUpdate360.exe
4576	LiveUpdate360.exe
4576	LiveUpdate360.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	tasklist.exe
Token: SeDebugPrivilege	1468	tasklist.exe
Token: SeDebugPrivilege	3640	tasklist.exe
Token: SeDebugPrivilege	624	tasklist.exe
Token: SeDebugPrivilege	2956	tasklist.exe
Token: SeDebugPrivilege	3536	tasklist.exe
Token: SeDebugPrivilege	1692	tasklist.exe
Token: SeDebugPrivilege	3220	tasklist.exe
Token: SeDebugPrivilege	2492	tasklist.exe
Token: SeDebugPrivilege	3948	tasklist.exe
Token: SeDebugPrivilege	836	tasklist.exe
Token: SeDebugPrivilege	3648	tasklist.exe
Token: SeDebugPrivilege	2320	tasklist.exe
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	4628	tasklist.exe
Token: SeDebugPrivilege	1564	tasklist.exe
Token: SeDebugPrivilege	3540	tasklist.exe
Token: SeDebugPrivilege	4028	tasklist.exe
Token: SeDebugPrivilege	1420	tasklist.exe
Token: SeDebugPrivilege	4348	tasklist.exe
Token: SeDebugPrivilege	4744	tasklist.exe
Token: SeDebugPrivilege	1548	tasklist.exe
Token: SeDebugPrivilege	2600	tasklist.exe
Token: SeDebugPrivilege	4540	tasklist.exe
Token: SeDebugPrivilege	3112	tasklist.exe
Token: SeDebugPrivilege	4820	tasklist.exe
Token: SeDebugPrivilege	4424	tasklist.exe
Token: SeDebugPrivilege	5020	tasklist.exe
Token: SeDebugPrivilege	2924	tasklist.exe
Token: SeDebugPrivilege	3684	tasklist.exe
Token: SeDebugPrivilege	2772	tasklist.exe
Token: SeDebugPrivilege	2840	tasklist.exe
Token: SeDebugPrivilege	2636	tasklist.exe
Token: SeDebugPrivilege	3852	tasklist.exe
Token: SeDebugPrivilege	2492	tasklist.exe
Token: SeDebugPrivilege	3192	tasklist.exe
Token: SeDebugPrivilege	4528	tasklist.exe
Token: SeDebugPrivilege	4236	tasklist.exe
Token: SeDebugPrivilege	4828	tasklist.exe
Token: SeDebugPrivilege	1224	tasklist.exe
Token: SeDebugPrivilege	964	tasklist.exe
Token: SeDebugPrivilege	3572	tasklist.exe
Token: SeDebugPrivilege	3552	tasklist.exe
Token: SeDebugPrivilege	2364	tasklist.exe
Token: SeDebugPrivilege	3540	tasklist.exe
Token: SeDebugPrivilege	3536	tasklist.exe
Token: SeDebugPrivilege	4792	tasklist.exe
Token: SeDebugPrivilege	4528	tasklist.exe
Token: SeDebugPrivilege	4088	tasklist.exe
Token: SeDebugPrivilege	3824	tasklist.exe
Token: SeDebugPrivilege	3268	tasklist.exe
Token: SeDebugPrivilege	3996	tasklist.exe
Token: SeDebugPrivilege	3908	tasklist.exe
Token: SeDebugPrivilege	4256	tasklist.exe
Token: SeDebugPrivilege	4316	tasklist.exe
Token: SeDebugPrivilege	2296	tasklist.exe
Token: SeDebugPrivilege	4952	tasklist.exe
Token: SeDebugPrivilege	228	tasklist.exe
Token: SeDebugPrivilege	4592	tasklist.exe
Token: SeDebugPrivilege	5104	tasklist.exe
Token: SeDebugPrivilege	3584	tasklist.exe
Token: SeDebugPrivilege	4024	tasklist.exe
Token: SeDebugPrivilege	1824	tasklist.exe
Token: SeDebugPrivilege	3996	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 764	2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	94
PID 2300 wrote to memory of 764	2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	94
PID 2300 wrote to memory of 764	2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	94
PID 764 wrote to memory of 1708	764	cmd.exe	96
PID 764 wrote to memory of 1708	764	cmd.exe	96
PID 764 wrote to memory of 1708	764	cmd.exe	96
PID 2300 wrote to memory of 5024	2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	97
PID 2300 wrote to memory of 5024	2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	97
PID 2300 wrote to memory of 5024	2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	97
PID 5024 wrote to memory of 3948	5024	cmd.exe	99
PID 5024 wrote to memory of 3948	5024	cmd.exe	99
PID 5024 wrote to memory of 3948	5024	cmd.exe	99
PID 3948 wrote to memory of 1068	3948	cmd.exe	100
PID 3948 wrote to memory of 1068	3948	cmd.exe	100
PID 3948 wrote to memory of 1068	3948	cmd.exe	100
PID 3948 wrote to memory of 1196	3948	cmd.exe	101
PID 3948 wrote to memory of 1196	3948	cmd.exe	101
PID 3948 wrote to memory of 1196	3948	cmd.exe	101
PID 5024 wrote to memory of 4576	5024	cmd.exe	102
PID 5024 wrote to memory of 4576	5024	cmd.exe	102
PID 5024 wrote to memory of 4576	5024	cmd.exe	102
PID 5024 wrote to memory of 3648	5024	cmd.exe	103
PID 5024 wrote to memory of 3648	5024	cmd.exe	103
PID 5024 wrote to memory of 3648	5024	cmd.exe	103
PID 2300 wrote to memory of 4824	2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	104
PID 2300 wrote to memory of 4824	2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	104
PID 2300 wrote to memory of 4824	2300	2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe	104
PID 4824 wrote to memory of 3800	4824	cmd.exe	106
PID 4824 wrote to memory of 3800	4824	cmd.exe	106
PID 4824 wrote to memory of 3800	4824	cmd.exe	106
PID 3800 wrote to memory of 1468	3800	cmd.exe	107
PID 3800 wrote to memory of 1468	3800	cmd.exe	107
PID 3800 wrote to memory of 1468	3800	cmd.exe	107
PID 3800 wrote to memory of 4248	3800	cmd.exe	108
PID 3800 wrote to memory of 4248	3800	cmd.exe	108
PID 3800 wrote to memory of 4248	3800	cmd.exe	108
PID 4824 wrote to memory of 1608	4824	cmd.exe	109
PID 4824 wrote to memory of 1608	4824	cmd.exe	109
PID 4824 wrote to memory of 1608	4824	cmd.exe	109
PID 5024 wrote to memory of 3000	5024	cmd.exe	111
PID 5024 wrote to memory of 3000	5024	cmd.exe	111
PID 5024 wrote to memory of 3000	5024	cmd.exe	111
PID 3000 wrote to memory of 3640	3000	cmd.exe	112
PID 3000 wrote to memory of 3640	3000	cmd.exe	112
PID 3000 wrote to memory of 3640	3000	cmd.exe	112
PID 3000 wrote to memory of 224	3000	cmd.exe	113
PID 3000 wrote to memory of 224	3000	cmd.exe	113
PID 3000 wrote to memory of 224	3000	cmd.exe	113
PID 5024 wrote to memory of 2704	5024	cmd.exe	114
PID 5024 wrote to memory of 2704	5024	cmd.exe	114
PID 5024 wrote to memory of 2704	5024	cmd.exe	114
PID 4824 wrote to memory of 396	4824	cmd.exe	117
PID 4824 wrote to memory of 396	4824	cmd.exe	117
PID 4824 wrote to memory of 396	4824	cmd.exe	117
PID 396 wrote to memory of 624	396	cmd.exe	118
PID 396 wrote to memory of 624	396	cmd.exe	118
PID 396 wrote to memory of 624	396	cmd.exe	118
PID 396 wrote to memory of 4820	396	cmd.exe	119
PID 396 wrote to memory of 4820	396	cmd.exe	119
PID 396 wrote to memory of 4820	396	cmd.exe	119
PID 4824 wrote to memory of 4580	4824	cmd.exe	120
PID 4824 wrote to memory of 4580	4824	cmd.exe	120
PID 4824 wrote to memory of 4580	4824	cmd.exe	120
PID 4576 wrote to memory of 1756	4576	LiveUpdate360.exe	121

C:\Users\Admin\AppData\Local\Temp\2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe
"C:\Users\Admin\AppData\Local\Temp\2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\Users\\Default\\AppData\\Roaming\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1068
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1196
- - C:\Users\Public\Downloads\LiveUpdate360.exe
    "C:\Users\Public\Downloads\LiveUpdate360.exe"
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:3184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\\Users\\Default\\AppData\\Roaming\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd
      4⤵
      PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:4564
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:396
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:4288
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:764
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:3784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:4472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2908
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:4608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:3740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:4672
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2204
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3292
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:3704
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3960
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2548
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1988
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2224
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:4200
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3164
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        
        PID:3644
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:620
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:4156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1148
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:2232
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:624
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:4680
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:3884
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3640
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:3068
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:4952
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:3220
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\\Users\\Default\\AppData\\Roaming\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd
      4⤵
      PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2956
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:436
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1032
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:4864
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3932
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:224
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2548
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3504
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:3244
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:952
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1468
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:508
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:436
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3344
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:3576
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3212
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:2236
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:4892
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3344
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:4944
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:4472
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:1984
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:3112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:4980
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:2704
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:2376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:3192
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        
        PID:3364
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
        5⤵
        
        PID:1724
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist.exe
        6⤵
        Enumerates processes with tasklist
        
        PID:4460
      - C:\Windows\SysWOW64\find.exe
        
        find /I "LiveUpdate360.exe"
        6⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /t 5 /d y /n
        5⤵
        
        PID:760
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3640
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:224
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2956
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:752
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:5032
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1692
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:5104
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:4856
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2492
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2920
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3648
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3180
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1564
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3552
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:4244
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4348
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3564
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4540
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3920
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2212
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5020
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1128
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3708
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3192
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3268
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1224
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4628
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2364
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1756
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:844
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4528
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1632
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4120
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3996
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:964
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5032
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4488
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2704
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5104
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3356
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:4512
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3996
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4820
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2748
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:3536
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:436
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:3096
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3504
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:4644
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4192
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4604
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4444
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:4244
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:624
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\Users\\Default\\AppData\\Roaming\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1468
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4248
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4820
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2760
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3536
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3684
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3220
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3228
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3948
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3940
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2736
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4120
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4580
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4028
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:920
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:3348
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1548
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2092
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:3996
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:508
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3684
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3536
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3852
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3700
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:4140
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4236
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:3344
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1760
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3572
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:428
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3536
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3824
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:452
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4256
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:620
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:624
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:228
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2232
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:1224
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4024
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4572
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:2364
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:1420
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:3584
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1196
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1696
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      Enumerates processes with tasklist
      PID:3516
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:4788
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist.exe | find /I "LiveUpdate360.exe"
    3⤵
    PID:4992
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist.exe
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\find.exe
      find /I "LiveUpdate360.exe"
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\choice.exe
    choice /t 5 /d y /n
    3⤵
    PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\AppData\Roaming\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd

Filesize
1KB

MD5
12957d9ee5f3911d439ece539d2b5730

SHA1
e8faedc1ce3a9b4ccb4c3950c4231603fa241b7d

SHA256
6704d285fbbc724f9f71dd7792ada86ee688ce334659db09b2bc62e0bbb0cdca

SHA512
56e17ab2d3b85d8a3cf43b8c828b80db715968ee59e33584eebb555bc9d41b25e1821722b7ed41d14f0dc7dbf41eff6d438ab54d956d9d95770c6d860cb494d5

Download Submit
C:\Users\Public\Downloads\LiveUpdate360.exe

Filesize
8.2MB

MD5
d0903c92f559b7b635ad4fe5f1ec23c9

SHA1
825169238eb46f4167e554e1f53d4b2fe7cadd74

SHA256
2646461707172485e60002d3ed77c130ccb02fd2ffc8a97756100d3194991858

SHA512
d638fe4c3bfc11b4717ad6eeb8ea43aa93ac37bac92af8cf4d771f60e058b15cea3bdb1f4f043b081df7fab13972a7465bc7b69410b703cf6247aa6684e2143c

Download Submit
memory/2300-1-0x0000000000224000-0x00000000005F3000-memory.dmp

Filesize
3.8MB

Download
memory/2300-0-0x0000000000160000-0x00000000009A4000-memory.dmp

Filesize
8.3MB

Download
memory/2300-2-0x0000000000224000-0x00000000005F3000-memory.dmp

Filesize
3.8MB

Download
memory/4576-10-0x0000000000404000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/4576-11-0x0000000000340000-0x0000000000B84000-memory.dmp

Filesize
8.3MB

Download
memory/4576-14-0x0000000000404000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download