rms | 15887cc9d5a5e92b52babd6940bbec527a0388ec3184ef1beff866a8296eecc3

Analysis

max time kernel
164s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
13-02-2022 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15887cc9d5a5e92b52babd6940bbec527a0388ec3184ef1beff866a8296eecc3.exe
Size

3.5MB
MD5

3ddd5b2dbcd30b5d0477fb30133b7bfc
SHA1

912faa649fa1c7b0235f3678ae12d1f78086dfc8
SHA256

15887cc9d5a5e92b52babd6940bbec527a0388ec3184ef1beff866a8296eecc3
SHA512

e904c17d3ec455f3c3f96d8c5156292290e19b6a2b9776552c9bcc56af753076fcd25b4df87f9ec337168a14ae991cf05c2b0d3d151ca734535c3cffe81796ba

Score

10^/10

rms evasion persistence rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022112-136.dat	acprotect
behavioral2/files/0x0007000000021410-153.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2092	data.exe
1740	svhhost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022112-136.dat	upx
behavioral2/files/0x0007000000021410-153.dat	upx

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	15887cc9d5a5e92b52babd6940bbec527a0388ec3184ef1beff866a8296eecc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	data.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "C:Net\\svhhost.exe"	reg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File created	C:\Windows\4w5tb68h7t987093f4trq893f4rw89etw.txt	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1128	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
1652	tasklist.exe
2068	tasklist.exe
3680	tasklist.exe
3552	tasklist.exe
2944	tasklist.exe
1452	tasklist.exe
2916	tasklist.exe
732	tasklist.exe
3260	tasklist.exe
388	tasklist.exe
3680	tasklist.exe
3228	tasklist.exe
816	tasklist.exe
312	tasklist.exe
1288	tasklist.exe
2976	tasklist.exe
3896	tasklist.exe
2916	tasklist.exe
2592	tasklist.exe
3528	tasklist.exe
4064	tasklist.exe
3692	tasklist.exe
3836	tasklist.exe
2820	tasklist.exe
3560	tasklist.exe
2888	tasklist.exe
1172	tasklist.exe
540	tasklist.exe
4016	tasklist.exe
820	tasklist.exe
2380	tasklist.exe
3252	tasklist.exe
3692	tasklist.exe
312	tasklist.exe
2480	tasklist.exe
2852	tasklist.exe
552	tasklist.exe
1516	tasklist.exe
220	tasklist.exe
920	tasklist.exe
2156	tasklist.exe
2448	tasklist.exe
632	tasklist.exe
2464	tasklist.exe
1260	tasklist.exe
4052	tasklist.exe
3884	tasklist.exe
3400	tasklist.exe
3352	tasklist.exe
1800	tasklist.exe
3180	tasklist.exe
2648	tasklist.exe
3252	tasklist.exe
2500	tasklist.exe
3536	tasklist.exe
2584	tasklist.exe
1940	tasklist.exe
3448	tasklist.exe
2972	tasklist.exe
1288	tasklist.exe
664	tasklist.exe
1148	tasklist.exe
3552	tasklist.exe
4052	tasklist.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.500566"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132894158146149036"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3936"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.084926"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4332"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	data.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2092	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1740	svhhost.exe
1740	svhhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe
Token: SeRestorePrivilege	3772	TiWorker.exe
Token: SeSecurityPrivilege	3772	TiWorker.exe
Token: SeBackupPrivilege	3772	TiWorker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	svhhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2092	1212	15887cc9d5a5e92b52babd6940bbec527a0388ec3184ef1beff866a8296eecc3.exe	70
PID 1212 wrote to memory of 2092	1212	15887cc9d5a5e92b52babd6940bbec527a0388ec3184ef1beff866a8296eecc3.exe	70
PID 1212 wrote to memory of 2092	1212	15887cc9d5a5e92b52babd6940bbec527a0388ec3184ef1beff866a8296eecc3.exe	70
PID 2092 wrote to memory of 4040	2092	data.exe	74
PID 2092 wrote to memory of 4040	2092	data.exe	74
PID 2092 wrote to memory of 4040	2092	data.exe	74
PID 4040 wrote to memory of 1292	4040	WScript.exe	76
PID 4040 wrote to memory of 1292	4040	WScript.exe	76
PID 4040 wrote to memory of 1292	4040	WScript.exe	76
PID 4040 wrote to memory of 1988	4040	WScript.exe	77
PID 4040 wrote to memory of 1988	4040	WScript.exe	77
PID 4040 wrote to memory of 1988	4040	WScript.exe	77
PID 4040 wrote to memory of 3336	4040	WScript.exe	78
PID 4040 wrote to memory of 3336	4040	WScript.exe	78
PID 4040 wrote to memory of 3336	4040	WScript.exe	78
PID 4040 wrote to memory of 2968	4040	WScript.exe	79
PID 4040 wrote to memory of 2968	4040	WScript.exe	79
PID 4040 wrote to memory of 2968	4040	WScript.exe	79
PID 4040 wrote to memory of 1560	4040	WScript.exe	80
PID 4040 wrote to memory of 1560	4040	WScript.exe	80
PID 4040 wrote to memory of 1560	4040	WScript.exe	80
PID 4040 wrote to memory of 3872	4040	WScript.exe	81
PID 4040 wrote to memory of 3872	4040	WScript.exe	81
PID 4040 wrote to memory of 3872	4040	WScript.exe	81
PID 1292 wrote to memory of 1836	1292	wscript.exe	82
PID 1292 wrote to memory of 1836	1292	wscript.exe	82
PID 1292 wrote to memory of 1836	1292	wscript.exe	82
PID 1836 wrote to memory of 3436	1836	cmd.exe	84
PID 1836 wrote to memory of 3436	1836	cmd.exe	84
PID 1836 wrote to memory of 3436	1836	cmd.exe	84
PID 1836 wrote to memory of 2120	1836	cmd.exe	87
PID 1836 wrote to memory of 2120	1836	cmd.exe	87
PID 1836 wrote to memory of 2120	1836	cmd.exe	87
PID 1836 wrote to memory of 3700	1836	cmd.exe	89
PID 1836 wrote to memory of 3700	1836	cmd.exe	89
PID 1836 wrote to memory of 3700	1836	cmd.exe	89
PID 1836 wrote to memory of 2184	1836	cmd.exe	90
PID 1836 wrote to memory of 2184	1836	cmd.exe	90
PID 1836 wrote to memory of 2184	1836	cmd.exe	90
PID 1836 wrote to memory of 2480	1836	cmd.exe	91
PID 1836 wrote to memory of 2480	1836	cmd.exe	91
PID 1836 wrote to memory of 2480	1836	cmd.exe	91
PID 1836 wrote to memory of 2092	1836	cmd.exe	92
PID 1836 wrote to memory of 2092	1836	cmd.exe	92
PID 1836 wrote to memory of 2092	1836	cmd.exe	92
PID 1836 wrote to memory of 1128	1836	cmd.exe	93
PID 1836 wrote to memory of 1128	1836	cmd.exe	93
PID 1836 wrote to memory of 1128	1836	cmd.exe	93
PID 1836 wrote to memory of 1740	1836	cmd.exe	94
PID 1836 wrote to memory of 1740	1836	cmd.exe	94
PID 1836 wrote to memory of 1740	1836	cmd.exe	94
PID 1836 wrote to memory of 4076	1836	cmd.exe	95
PID 1836 wrote to memory of 4076	1836	cmd.exe	95
PID 1836 wrote to memory of 4076	1836	cmd.exe	95
PID 1836 wrote to memory of 1764	1836	cmd.exe	96
PID 1836 wrote to memory of 1764	1836	cmd.exe	96
PID 1836 wrote to memory of 1764	1836	cmd.exe	96
PID 1836 wrote to memory of 968	1836	cmd.exe	97
PID 1836 wrote to memory of 968	1836	cmd.exe	97
PID 1836 wrote to memory of 968	1836	cmd.exe	97
PID 1836 wrote to memory of 1800	1836	cmd.exe	98
PID 1836 wrote to memory of 1800	1836	cmd.exe	98
PID 1836 wrote to memory of 1800	1836	cmd.exe	98
PID 1800 wrote to memory of 748	1800	WScript.exe	99

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3436	attrib.exe
1764	attrib.exe
968	attrib.exe

C:\Users\Admin\AppData\Local\Temp\15887cc9d5a5e92b52babd6940bbec527a0388ec3184ef1beff866a8296eecc3.exe
"C:\Users\Admin\AppData\Local\Temp\15887cc9d5a5e92b52babd6940bbec527a0388ec3184ef1beff866a8296eecc3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe" -p284579G45398T745398T
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      Checks computer location settings
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Log\Windows\hiscomponent\install.bat" "
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Log"
        6⤵
        Views/modifies file attributes
        
        PID:3436
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state off
        6⤵
        
        PID:2120
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        6⤵
        
        PID:3700
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
        6⤵
        
        PID:2184
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f
        6⤵
        
        PID:2480
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "Windows\hiscomponent\regedit.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:2092
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:1128
      - C:\Net\svhhost.exe
        
        svhhost.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1740
      - C:\Windows\SysWOW64\reg.exe
        
        Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Services" /t REG_SZ /d "C:Net\svhhost.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4076
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Net\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:1764
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Net"
        6⤵
        Views/modifies file attributes
        
        PID:968
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Net\process.vbs"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Net\process.bat" "
        7⤵
        
        PID:748
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2648
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3692
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2972
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:980
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2944
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3560
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3448
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:220
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:936
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:552
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1288
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3680
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2888
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:312
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:388
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3400
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:664
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1148
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3552
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3252
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2916
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4052
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:664
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2480
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1652
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:824
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2592
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:204
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3896
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:312
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3352
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1172
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2852
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2448
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:456
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:632
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:816
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:448
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2500
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:968
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3528
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4064
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:732
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3692
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3836
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2464
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3260
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3228
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:312
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:664
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2068
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1452
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:540
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4016
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:552
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1288
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:216
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2820
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:388
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:980
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3536
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:920
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:380
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:640
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:820
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:632
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:780
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1800
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:408
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2156
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3680
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2380
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3252
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2584
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1260
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:620
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2916
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4052
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:820
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2976
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:956
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:540
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1516
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3552
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3884
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1940
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3180
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:220
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:936
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\find.exe
        
        find "svhhost.exe"
        8⤵
        
        PID:2928
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:3336
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:3872

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3420

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3772